Information Technology Audit A and C Control E E-15

Information Technology
M A Management
C
E
Audit and Control E-15

ARRANGED ATTEMPT-WISE
ICAP PAST PAPERS QUESTION & ANSWERS
Compiled By: Faisal Zia B.Com (Gold Medalist) CA Finalist
Information Technology Management, Audit & Control
By: Faisal Zia (www.professionalsworld.net)
PREFACE
The Examinations of ICAP are a demanding test of students ability to master the wide range of knowledge and skills required of the modern professionals. Subject of ITMAC is one of the efforts made by ICAP in this context for enhancing students knowledge about detailed overview of Information Technology Management, Audit & control. In this kit I have arranged questions from last 09 papers of ICAP exams alongwith their suggested answers. These notes will be updated after every ICAP attempt Insha- ALLAH. Till now this kit includes questions and answers till June 2012 attempt. In case you find any discrepancies or errors in this booklet please let us know via email at fzh.fca@gmail.com. Your suggestions and feedback is also awaited. I hope it will be beneficiary students of Module-E. May ALLAH bless all of you with success in every exam of both lives. Please also pray for me Thanks Faisal Zia February 13, 2013
For notes and study material on all subjects of CA visit www.professionalsworld.net www.canotes.net
(1) Question Background: Summer 2012, Q # 1, Syllabus Topic: While conducting IS audit of Wonder Bank Limited you have observed the following roles/duties assigned to various users: (a) Tape Librarian records scheduled backups. (b) Application Programmers perform changes in test programs. (c) Operational support staff executes changes in batch schedules. (d) One of the Application Programmer is also responsible for Security Administration. (e) Database Administrator performs data entry tasks during peak load period. Required: Analyze each of the above observations and discuss the risk of fraud/weakness, if any, in each case. (10 marks) Suggested Answer:(a) The librarian is required to record, issue, receive and safeguard all programs and data files that are maintained on computer tapes/disks in an Information Processing Facility. Check and balance on currency and completeness of backups stored in the library would be weakened in case if the scheduled backups are recorded by the librarian. (b) Test programs are used only in development and do not directly impact live processing. Hence there is no risk in this case. (c) The implementation of changes to batch schedules by operation staff will affect the scheduling of the batches only. It does not impact the live data. Hence there is no risk in this case. (d) The functions of Application Programmer and Security Administrator are incompatible. The level of security administration access rights could allow changes to go undetected. (e) The Database Administrator (DA) has the tools to establish controls over the database and the ability to override these controls He has also the capability of gaining access to all data including production data. If data entry is performed by the DA it would contradict separation of duties principle and could compromise confidentiality of data as well. (2) Question Background: Summer 2012, Q # 2, Syllabus Topic: You are a member of the team which is conducting the IS audit of Awesome Textiles Limited (ATL). ATL has a well-established IS Department and a dedicated in-house Systems Development team. The key members in the team are System Development Manager, Project Manager, System Analyst and Quality Assurance Manager. Your team leader has assigned you to evaluate the following risk: New programs or the changes made in existing programs are NOT authorized, tested and documented and may NOT operate as planned. Required: (a) Identify any 12 controls which you would expect to exist to mitigate the above risk. (09 marks) (b) Also identify the member of the System Development Team who should be responsible for each control identified in part (a) above. (06 marks) Suggested Answer:RP Development and change requests are documented and approved at an (i) SDM appropriate level. Procedure exists for assigning priorities and monitoring the status of (ii) PM outstanding requests. (iii) Procedure exists for documenting requirement definition for new programs. SA
2

(iv) (v) (vi) (vii) (viii) (ix) (x) (xi) (xii) (xiii) (xiv) (xv) Legends: RP SDM PM

SA QAM QAM QAM SDM QAM QAM SDM SDM SDM QAM QAM
Procedure exists for getting system design approval from appropriate level. Procedure exists for testing the development and changes in programs. Test results are documented. Procedure exists for reviewing new and amended programs before implementation. Procedure exists for implementing new and amended programs. User acceptance testing is documented. Procedure exists for reviewing new and amended programs after implementation. The names/designations of persons authorized to approve amendments in programs is documented. The names/designations of persons authorized to make amendments in programs is also documented. Procedure exists for transferring copy of source code from production to test environment and vice versa. Appropriate naming convention exists for test and live production programs. Log of all changes made to a program during a given time is available. Responsible Person System Development Manager Projects Manager SA QAM
System Analyst Quality Assurance Manager
(3) Question Background: Summer 2012, Q # 3(a), Syllabus Topic: Q- Briefly describe five important factors that should be considered, and their significance, in the development of an appropriate recovery strategy as part of a comprehensive Business Continuity Plan. (08 marks) Suggested AnswerThe following factors should be considered while devising future recovery strategy: (i) Recovery Point Objective (RPO): It indicates the pre-incident point in time that data must be recovered. For example, if an organisation may afford to lose data up to two hours before disaster, then the latest data backup available should be at least two hours before the interruption or disaster. (ii) Recovery Time Objective (RTO): It indicates the earliest point in time at which the business must resume after disaster. It is based on the acceptable downtime in case of a disruption of operations. (iii) Interruption Window: It is the time organization can wait from the point of failure to the critical services/applications restoration. After this time, the progressive losses caused by the interruption are unaffordable. (iv) Service Delivery Objective (SDO): It is the level of services to be reached during the alternate process mode until the normal situation is restored. (v) Maximum Tolerable Outages: It is the maximum time the organization can support processing in alternate mode. After this point, different problems may arise, especially if the alternate SDO is lower than the usual SDO and the information pending to be updated can become unmanageable. Based on the above factors, an organisation decides how much resources it has to deploy to achieve Business Continuity. For example if RPO is in minutes then data mirroring or duplexing should be implemented as the recovery strategies. If the RTO is lower, then the alternate site might be preferred over a hot site contract.
3
(4) Question Background: Summer 2012, Q # 3(b), Syllabus Topic: Fluent Services is a joint venture company which provides utility services. Last year FS lost its major IT assets on account of floods. Consequently, some of its IT services had to be discontinued for extended periods, although a comprehensive Business Continuity Plan had been prepared in 2010. Required: Identify the possible reasons for discontinuation of services for extended periods as discussed above. (03 marks) Suggested AnswerThough FS had a comprehensive Business Continuity Plan (BCP) in place, some of its IT systems may have failed for extended periods on account of the following reasons: (i) BCP was not updated. (ii) BCP was not comprehensively tested. (iii) FS had not trained its employees to cope up with disastrous situations and make use of BCP. (5) Question Background: Summer 2012, Q # 4, Syllabus Topic: You are working as the IT Manager of Astonishing Plastic Limited (APL) which is a medium sized manufacturing company. APL is in the process of revamping its accounting and information systems. Various proposals have been received from different software houses for development of the required system. The software houses intend to follow either the SDLC approach or the Prototype approach. Required: Prepare a write up for presentation to the Procurement Committee, containing the following: (a) Analysis of the merits and demerits of the two approaches. (06 marks) (b) The steps involved in Prototyping approach. (04 marks) Suggested Answer(a) Analysis of merits and demerits of the two approaches is as follows: (i) After a quick requirements gathering phase, a prototype application is built and presented to the application users. This saves significant time and cost, as compared to normal SDLC models. (ii) In prototyping more frequent feedbacks are taken from the users( as against the SDLC approach) which help to improve or add functionality to the application. (iii) Prototyping makes it possible for programmers to present a mock-up version of an envisaged system to the users before a substantial amount of time and money has been committed. The users can judge the prototype before things have gone too far to be changed. Where as in SDLC model, any meaningful sample of system cannot be seen by the user, as it is based on strict planning followed by consultation, creation, testing, documentation and then launching (iv) In case of prototyping early involvement of the user may result in lesser initiative on the part of programmer/system analyst. (v) In prototyping the developers mainly focus on what the user wants and what the user sees and may miss some of the controls that come out of the SDLC approach such as backup/recovery, security and audit trails etc. (vi) Prototyping often leads to functions or extras being added to the system that are not included in the initial requirements document. In such cases sometimes the final system ends up being functionally rich but inefficient. With an SDLC model, developers in the beginning would have a clear idea on what is to be built. (b) Key steps involved in prototyping are as follows: 1. Elicit user requirements briefly, not as comprehensive as other SDLC models.
4

2. 3. 4. 5. 6. 7. 8. Plan Prototype. Design prototype in high level languages. Demonstrate prototype to the users. Obtain users comments on prototype. Improve prototype. Repeat steps 5 and 6 until necessary. Build production system (generally, in low level languages)
(6) Question Background: Summer 2012, Q # 5(a), Syllabus Topic: Briefly describe the key contents of an audit charter. Suggested AnswerAn audit charter addresses the four aspects i.e. purpose, responsibility, authority and accountability. Purpose: Following contents are covered under this aspect: Role Aims/goals Scope Objectives Responsibility: Following contents are covered under this aspect: Operating principles Independence Relationship with external audit Auditee requirements Critical success factors Key performance indicators Risk assessment Other measures of performance Authority: Following contents are covered under this aspect: Right of access to information, personnel, locations and systems relevant to the performance of audits Scope or any limitations of scope Functions to be audited Organisational structure, including reporting lines to board and senior management Grading of IS audit staff Accountability: Following contents are covered under this aspect: Reporting lines to senior management Assignment performance appraisals Personnel performance appraisals Auditee rights Independent quality reviews. Assessment of compliance with standards Benchmarking performance and functions Comparison of budget to actual costs Agreed actions e.g. penalties when either party fails to carry out their responsibilities. (08 marks)
(7) Question Background: Summer 2012, Q # 5(b), Syllabus Topic: Your firm has recently been engaged to conduct audit of Stupendous Asset Management. The company executes a large number of e-business transactions in real time sharing environment in almost a paperless environment. Being IS Expert of the audit team you were required to evaluate the operating controls on a continuous basis without disrupting the organizations normal business operations. Required: (i) Briefly explain any four automated evaluation techniques which you could use to perform the given task. (06 marks) (ii) List down the factors that you would consider while selecting an appropriate continuous online auditing technique. (02 marks) Suggested Answer(i) Following automated evaluation techniques could be used to perform the given task: System Control Audit Review File & Embedded Audit Modules (SCARF/EAM) This technique involves embedding specially written audit software in the organizations host application system, so the application systems are monitored on a selective basis. Integrated Test Facility (ITF): Dummy entities are set up and included in clients production files. The system can either process live transactions or test transactions during regular processing runs and have these transactions update the records of the dummy entity. The operator enters the test transactions simultaneously with the live transactions that are entered for processing. The auditor then compares the output with the data that have been independently calculated to verify the correctness of computerprocessed data. Snapshots: This technique involves taking what might be termed pictures of processing path that a transaction follows, from the input to the output stage. With the use of this technique, transactions are tagged by applying identifiers to input data and subsequent processing of these transactions is reviewed and monitored. Continuous and Intermittent Simulation (CIS): During the processing of transactions, the computer system simulates the instruction execution of the application. As each transaction is entered, the simulator decides whether the transaction meets certain predetermined criteria and, if so, audits the transaction. If not, the simulator waits until it encounters the next transaction that meets the criteria. (ii) Following factors should be considered while selecting an appropriate continuous online auditing technique: Complexity of the organizations computer systems and applications. Advantages and disadvantages or limitation of each type of online auditing techniques. IS auditors ability to understand the system with and without the use of continuous online auditing techniques (8) Question Background: Summer 2012, Q # 6, Syllabus Topic: Digital Peak Limited (DPL) is a large importer of Chinese brands of mobiles, tablets, laptops and related accessories. Sachal, the newly appointed Business Development Manager has come up with an idea that DPL should launch an online store to boost its sales. Further, DPL should promote its online store in the urban as well as rural areas specially where universities and reputed institutions are situated. However, the management has reservations regarding various aspects of the online business. Required: On behalf of Sachal, prepare a note to convince the management describing: (a) How an online store is more customer friendly than a traditional store. (04 marks) (b) The measures which DPL could take to facilitate the customers and alleviate their security concerns. (08 marks)
6

Suggested Answer:-
a) An online store is more customer friendly than a traditional store because: (i) The customer can shop electronically without having to leave the comfort of his home, hostel or office. (ii) Customers can do the shopping 24 hours of the day, 365 days of the year. The barriers of bad weather and poor law and order situation etc. are minimized. (iii) Customers sitting in far flung areas could easily place order for their required items which are not available near their place of residence. (iv) Customers have the option to review and compare prices of similar products within few minutes without the hassle of going through the market for hours. b) DPL may take following measures to facilitate the customers and alleviate their security concerns: Customer friendly: Design the website in such a way to make search and navigation easy for customers. Quality of goods: Make customers feedback and rating forum where customers may give their feedback on products purchased and DPLs customer services. Timely delivery: 1- Make arrangement for products delivery with reliable courier services. 2- Minimize lead time for delivery of orders but at the same time keep the customers informed about the correct delivery time. Security of transaction: 1- Deploy appropriate Secure Socket Layer at its website. 2- Get its website certified from institutions like Web trust 3- Store customers data in encrypted form Payment means: 1- Make payment arrangements with a credit card processing company to accept generally used debit/credit cards like Master and VISA etc. 2- Get the payment mechanism certified by an independent authority like VeriSign. 3- Make payment arrangements with local banks through online transfer of funds. 4- Make cash on delivery payment arrangements. (9) Question Background: Summer 2012, Q # 7, Syllabus Topic: Briefly describe the key objectives of Business Process Reengineering (BPR) and identify the important steps that form part of a BPR exercise. (06 marks) Suggested Answer:The key objectives of Business Process Reengineering (BPR) are as follows: (a) Identify deficiencies/inefficiencies and (b) Maximize productivity of the existing system. Important steps that form part of a BPR exercise are as follows: (a) Study the current system. (b) Design and develop new systems. (c) Define Processes, Organization Structure and Procedures. (d) Develop/ customize the software. (e) Train people. (f) Implement the reengineered system.
(10) Question Background: Summer 2012, Q # 8, Syllabus Topic: Splendid Medicines Limited (SML) is a medium sized organization having different types of network infrastructures such as LANs, WANs, WLANs, VPNs, etc. Being an Internal Auditor of SML you have been assigned to make an assessment of the major threats to its networks, together with the potential impact and probability of occurrence of each threat. Required: List the important information which would be required by you for carrying out an effective assessment as discussed above. (10 marks) Suggested Answer:In order to carry out an effective assessment, following information may be required: (1) Detail of network topologies and network design. (2) Detail of significant network components (such as servers, routers, switches, hubs, firewall, modems, wireless devices etc). (3) Detail of interconnected boundary networks. (4) Network uses (including significant traffic types and main application used over the network). (5) Network gateway to the Internet. (6) Names of network administrator and operator and the functions performed by them. (7) Names of significant groups of network users. (8) Procedures and standards relating to network design, support, naming conventions and data security. (9) Detail about network transmission media and techniques. (10) Policies and procedures related to network risk assessment. (11) Helpdesk complaint log. (12) Detail of any potential mishap which had occurred in the past. (13) Any related audit/review report. (11) Question Background: Summer 2012, Q # 9, Syllabus Topic: Flash Marketing Limited (FML) is a medium sized fast moving consumer goods distributor. Few months ago, FML got its website revamped by Web Experts Limited (WEL). The new website has interactive features with separate areas designated for different stakeholders. On expiry of the free service period, WEL has proposed FML to enter into a 3 years contract for website administration and maintenance. Under the proposed agreement, WEL would also be responsible to update website as instructed by FML. However, all changes in design would be billed separately. Required: (a) Identify the risks that FML may face if it decides to accept WELs offer.
(b) Identify the measures through which FML could mitigate the risks identified in part (a) above
(04 M) (06 M)
(a) FML may face the following risks: (i) There may be hidden costs in the contract because of slight changes in the design of a web page WEL may demand substantial fee. (ii) WEL may not perform timely maintenance which may result in non-availability of the website. (iii) Service costs may not remain competitive over the period of entire contract. (iv) FML may become entirely dependent on WEL. (v) Confidentiality of information may be compromised. (b) (1) (2) (3) FML could take the following measures to mitigate the above risks: Review the proposal thoroughly as regards the basis of billing for services related to change in design. Specify clearly defined performance criteria to ensure quality of services. Define penalty in case of non-fulfillment of agreed service levels.
8
(4) Ensure that WEL has a sound BCP in place. (5) Instead of three years contract enter into annual contract and before renewal of contract, make fresh survey of the market as regards the cost of services. (6) To reduce dependency on WEL, make back up arrangements. For example, contract with another vendor to handle the website incase contract with WEL is terminated abruptly or develop in-house resources. (7) Get Non-disclosure agreement signed from WEL. (8) Clearly specify data ownership. (12) Question Background: Winter 2011, Q # 1, Syllabus Topic: Thriving Limited (TL) is a fast growing distribution company. In a short period of time, the IT function of TL has become the prime facilitator and enabler of its business and consequently the management has taken various steps to improve its efficiency and effectiveness. In this regard an IT Strategy and Steering Committee has been formed. The Committee has taken various steps that include devising new strategies and plans, restructuring of IT department, up-gradation of facilities and human resources within IT department and documentation of internal controls and procedures etc. to achieve the desired result. You have been hired as an IT and Management Consultant to carry out a critical evaluation of the steps taken by the Committee. Required:(a) Specify the information which you would like to gather as regards TLs IT strategy (05 M) (b) Identify the matters that you would consider in evaluating: (i) The strategic planning process; and (05 marks) (ii) The organization of TLs IT function. (08 marks) Suggested Answer:(a) I would gather the following information as regards to TLs IT strategy: (i) Long and short range organizational plans to fulfill the organizations mission and goals. (ii) Long and short range strategy and plans for IT systems to support organizational plans. (iii) TLs approach to setting IT strategy, developing plans and monitoring progress against those plans. (iv) TLs approach to change control of IT strategy and plans. (v) IT mission statement and agreed goals and objectives for IT activities. (vi) Assessments of existing IT activities and systems (b) (i) While reviewing the IT strategic planning process, I would consider whether: (1) There is clear definition of IT mission and vision; (2) There is a strategic IT planning methodology in place; (3) The methodology correlates business goals and objectives to IT goals and objectives; (4) This planning process is periodically updated; (5) The IT strategic plan identifies major IS initiatives and resources needed; (6) The level of the individuals involved in the process is appropriate; and (b) (ii) While reviewing the organization of TLs IT function, I would consider the following: (1) Membership, functions and responsibilities of the IT strategic and steering committee are well defined; (2) A quality assurance function and policy exists for the organization of the IT function; (3) The IT function has the right kind of staff having related skills; (4) Clear policies exist to ensure hiring of appropriate IT personnel; (5) The roles and responsibilities are well defined and are communicated to all concerned; (6) The IT function is aligned with the organizations objectives;
(7) Policies exist to address the need for evaluating and modification of organizational structure to meet changing objectives and circumstances; (8) Policies and procedures exist covering data and system ownership for all major data sources and systems; (9) Appropriate segregation of duties is in place; (10) Appropriate and effective key performance indicators and/or critical success factors are used in measuring results of the IT function in achieving organizational objectives; (11) IT policies and procedures exist to control the activities of consultants and other contract personnel; and (12) Whether the costs being invested on the IT function organization are appropriate/well controlled. (13) Question Background: Winter 2011, Q # 2, Syllabus Topic: Database failures are a cause of concern for many organisations. You are required to prepare a note explaining the following: Required: (a) Four common causes of database failures; and (b) Four common database backup strategies, to minimise the risk of loss of data. Suggested Answer:(a) Common causes of database failures are as follows: Application program error: Data could be incorrectly updated due to bug/error in application program. System software error: An error in OS (operating system), DBMS (data base management system), network management system or a utility program may lead erroneous update or corruption of data held by the database. Hardware failure: Data may be lost due to hardware failure or malfunctioning. Procedural error: A procedural error made by an operator/user could damage the database. (b) Common backup strategies are as follows: Grandfather, father, son strategy: In this method three sets of backups are recorded i.e., daily, weekly and monthly. The daily or son backups are recorded on week days, the weekly or father backups are recorded on weekends while the monthly or grandfather backup is written on last working day of the month. Son, father and grandfather backups are over-written on weekly, monthly and quarterly basis, respectively. Often one or more of the father/grandfather backup is removed from the site and stored at an offsite for safekeeping and disaster recovery purposes. Mirroring / dual recording / replication: It involves maintaining two separate copies of the same database at different physical locations. It is a costly system as the data is required to be kept and updated at two different locations/servers. Dumping: It involves copying of the whole or critical part of the database to a medium from which it can be rewritten. There is no specific frequency of taking the backup. Logging: In this method the backup of the entire database is not taken each time. Instead, a log is kept in respect of all the events that update, create or delete any record in the database. Three types of logs may be kept i.e. transaction logs, before-image logs and after-image logs. Such logs can be used to update the database in case an updated version is lost. (14) Question Background: Winter 2011, Q # 3, Syllabus Topic: WAO Limited is facing fierce competition. Besides other problems, customers satisfaction surveys have suggested that the customer support function is not performing effectively and efficiently. Consequently, the company is losing its market share day by day. It has therefore decided to reorganise the customer support function. As part of the above exercise, you have been assigned the task of revamping the customers help desk to ensure that it is able to meet its objectives effectively.
10
(04 marks) (08 marks)
Required: Identify key objectives of the help desk function and briefly explain what actions are needed to achieve them. (09 marks) Suggested Answer:Key objectives of the help desk function are as follows: Effective and efficient customer support. Effective and timely monitoring. Building Knowledgebase Actions required to achieve the above objectives are explained below: Effective and efficient customer support 1- Appoint trustworthy and competent personnel having high level of interpersonal skills as the help desk coordinating officers. 2- Train the help desk officers in the diverse range of systems used throughout the organisation. 3- Ensure immediate logging of all customers complaints/queries. 4- Unresolved customers queries should be assigned to support personnel for investigation and resolution. 5- Arrange periodic reviews/audits of the services offered and gather customers opinion through feedback forms and surveys. Effective and timely monitoring 1- Assign a time limit for resolution of each reported complaint. 2- The system should be able to alert the Customers Services Manager, as soon as the designated time period for unresolved complaints is over. Building Knowledgebase 1- Maintain system generated log of all activities undertaken to resolve the reported complaints. 2- Use the help desk log to determine the most and least problem areas. 3- Train help desk staff to make use of the log to find out how a particular type of problem has been fixed in the past. (15) Question Background: Winter 2011, Q # 4, Syllabus Topic: Ecommerce has gained a significant share of the overall market for goods and services in many countries. However, in addition to its advantages, ecommerce has several limitations including risks for commercial organizations as well as individual consumers. Required: Briefly explain the risks associated with the use of ecommerce, from the customers as well as the sellers point of view and suggest measures that can be adopted to mitigate them. (12 M) Suggested Answer:Risks associated with the use of ecommerce along with the mitigating measures are as follows: (i) Risks Privacy: Customers private and confidential information may become public and the seller risks facing legal prosecution in case the customers data is compromised. Mitigating Measures Seller should store customers data in encrypted form. Seller should declare that he would not disclose customers data to third parties or any other agency unless required by the law. Seller should get the website certified by the Web Trust. Seller should deploy Secure Socket Layer (SSL) on the website, especially on those pages where customers data is collected. Seller should make use of public key cryptography and allow customers to encrypt the data with his public key. Buyer should not follow hyperlinks received from marketing emails to visit the sellers website. Buyer should install fishing filter embedded web browsers.
(ii)
Integrity of transaction: Information submitted by the customers may be tampered during or after the transaction.
(iii)
Fraud: The seller may indulge in fraud or the website may not be authentic.
11

(iv) Non-repudiation: Buyer may deny that he has placed the order.

The seller should get the customers registered with its website and assign them digital signatures before making any transaction. These signatures should be used for communication with the seller. Deploy firewall with effective policies to prevent unwanted traffic. Deploy reputed antivirus and update it regularly. Develop and implement an effective disaster recovery and business continuity plan for the ecommerce website. Ensure periodic testing and up-dating of the plan. Customers should be alert to this possibility and satisfy himself through available means, before carrying out such a transaction
(v)
Availability: Website may become unavailable due to virus attack, email/message bombardment on system or system malfunction.
(vi)
Trust: Seller may deceive the buyers and the delivered order may be of very low/poor quality than its description mentioned at the online store.
(16) Question Background: Winter 2011, Q # 5, Syllabus Topic: You are working as Manager IT Audit in YEP Consultants. Trade Power (TP), which is a midsized retailing and distribution company, has approached your firm for post-implementation review of its recently established Virtual Private Network, Required: List the steps that you would undertake: (a) While planning the high level risk assessment of TPs Virtual Private Network; and (b) In determining the scope and objectives of the above assignment. (06 marks) Suggested Answer:(a) I would take the following steps while planning the high-level risk assessment of TPs VPN: 1- Gather information regarding TPs business and the purpose of installation of VPN. 2- Identify the VPN related risks relevant to post implementation stage. 3- Identify the relevant framework information criteria that need to be reviewed and confirmed. (b) To determine the scope and objective for the TPs assignment, I would: 1- Consult with the management of Trade Power (TP) where appropriate. 2- Obtain feasibility study report of the project to gain understanding of users requirements. 3- Consider the information gathered at the planning stage, to determine the scope in a more explicit manner. 4- Interview the identified stakeholders and include their key concerns, if any, in the scope and objectives of the review. (17) Question Background: Winter 2011, Q # 6, Syllabus Topic: The management of Utmost Textiles (UT) has decided to acquire an ERP solution. The ERP consultant hired by the management is of the view that UT must conduct a business process reengineering (BPR) exercise before acquiring the ERP solution. However, in order to save time, the management wants to conduct the BPR exercise concurrently with the implementation of the ERP solution. Required: (a) Explain the benefits of carrying out the BPR exercise. (03 marks) (b) Comment on the managements plan of concurrently carrying out BPR along w ith ERP implementation. (05 marks) (c) What matters should be considered while evaluating and selecting a suitable ERP package? (05 marks) Suggested Answer:-
12

(a) An in depth BPR study: 1- Brings out deficiencies of the existing systems; 2- Attempts to maximize productivity through restructuring and 3- Identifies measures to improve the systems and procedures.
(b) The BPR exercise may be conducted concurrently with the implementation of the ERP solution, however, this could lead to: 1- Selection of an inappropriate ERP; 2- Additional cost on customisation of the selected solution; 3- Incompatibility with technical infrastructure; 4- Unfamiliarity with new processes introduced by the BPR may, in turn, lead to inadequate process description and suboptimal configuration of the ERP; and 5- Overburdening the users which may lead to increased resistance from users; (c) Following matters should be considered while evaluating and selecting an ERP package: 1- All functional aspects of the business are duly covered. 2- Whether it would be technically viable to purchase the intended ERP. 3- Whether vendor has customization and implementation capabilities. 4- Feedback form existing users of the intended ERP. 5- Comparison of costs and benefits associated with ERP implementation. (18) Question Background: Winter 2011, Q # 7(a), Syllabus Topic: Identify any six factors that need to be considered while making a decision as regards the use of Computer Assisted Audit Techniques (CAATs). (06 marks) Suggested Answer:Following factors should be considered while determining whether to use CAATs: (1) The IT knowledge, expertise and experience of the audit team; (2) The availability of suitable CAATs and IS facilities; (3) Efficiency and effectiveness of using CAATs over manual techniques; (4) Time constraints; (5) Integrity of information system and IT environment; and (6) Level of audit risk. (19) Question Background: Winter 2011, Q # 7(b), Syllabus Topic: Describe the steps that need to be taken while planning the use of CAATs. Suggested Answer:Following steps are required to be taken while planning the use of CAATs: (1) Set the objective of the CAAT application. (2) Determine the accessibility and availability of the entity's IS facilities, programs/systems and data. (3) Determine resource requirements, i.e., personnel, CAATs, processing environment. (4) Clearly understand composition of data to be processed including quantity, type, format and layout. (5) Obtain access to the entitys IS facilities, programs/systems and data, including file definitions. (6) Define the test and procedures to be undertaken. (7) Define the output requirements. (8) Document CAATS to be used, including high level flowcharts and run instructions. (20) Question Background: Winter 2011, Q # 8, Syllabus Topic: As part of an IS audit, you are documenting the IT general controls and mapping them with the best practices. You have noted that all the users have access to the entire printing options. The client is of the view that this practice makes the system user friendly and enhances its operating efficiency. The client also believes that it would not create any threat. Required: Comment on the arguments provided by the client and state what action would you take. (05 marks) Suggested Answer:13
(07 marks)
The arguments provided by the client do not seem appropriate on account of the following: (1) Unrestricted access to the report option results in an exposure of information to undesired users. A careful analysis is to be done to determine the relevant user to access and print a report. (2) Efficiency and effectiveness are not relevant factors in this situation. They might exist but the cost / risk is higher. (3) User friendliness and flexibility for everybody is never the first choice for an IT system, particularly at the cost of information security. The system needs to be user friendly for the intended users only. (4) Information could be transmitted outside as electronic files i.e. without printing hard copies as print options allow for printing in an electronic form as well e.g. like print to file, or print to PDF. Therefore, it can be concluded that a greater exposure exists since blanket permission is available to all users. Accordingly, this point should be reported to the management. (21) Question Background: Winter 2011, Q # 9, Syllabus Topic: Your firm is engaged in the audit of an information system processing facility. You have been assigned the task of evaluating the effectiveness of the logical and environmental controls related to the following areas: (i) Data confidentiality, integrity and availability (ii) Power and fire hazards Required: Specify the questions that you would ask and the matters that you would like to observe to assess the effectiveness of controls related to the above areas. (12 marks) Suggested Answer:To evaluate the effectiveness of the logical and environmental controls related to the given areas I would ask the following questions: (a) Data confidentiality, integrity and availability (i) Is there a corporate policy requiring strong passwords? (ii) Is there a corporate policy requiring periodic change of passwords? If so, what is its periodicity? (iii) Are employees aware that passwords and accounts are not to be shared? (iv) Whether users passwords are communicated in a secure manner? (v) How sensitive data is being stored? Password protected or encrypted? (vi) Is there a user authorization matrix in place? (vii) Is the use of external storage devices allowed? If so, what controls are in place to minimise the exposures due to use of such devices? (viii) How the media containing confidential and sensitive information, which is no longer required, is disposed off? (ix) Enquire and seek evidence if users activity logs and audit trails are maintained and reviewed. (x) Enquire and seek evidence if prior written authoristaion is required for modification in data. (xi) Are all workstations running the latest version of antivirus software, scanning engine and service packs of operating/application software? (xii) How does the data and application software backed up? (frequency /procedure) (xiii) Are backup files periodically restored as a test to verify whether they are a viable alternative? (xiv) Are backup files sent to a physically secure offsite location? (b) Power and Fire hazards (i) Enquire whether any fire fighting system is installed. (ii) Observe whether smoke detectors, water sprinkles, fire extinguishers fire blankets are placed in strategic visible locations throughout the facility. (iii) Enquire and seek evidence whether the fire extinguishers and other fire fighting components are inspected periodically. (iv) Enquire and seek evidence whether the fire fighting drills are conducted periodically. (v) Enquire if there is any emergency exit for staff to evacuate safely in case of fire. (vi) Observe whether emergency exit is visibly marked and easily accessible. (vii) Interview staff to ascertain their training and awareness level as regards to fire hazard and evacuation procedures. (viii) Observe that electrical surge protectors are installed on sensitive and expensive computer equipment. (ix) Visit the IT facility at regular intervals to determine if temperature and humidity are appropriate. (x) Seek evidence whether fire fighting equipment, electrical fittings and UPS are inspected/tested frequently.
14
(22) Question Background: Summer 2011, Q # 1, Syllabus Topic: As Business Development Manager of Softera Solutions Limited you are presently conducting negotiations with the management of Prime Foods Limited (PFL) for automation and integration of its sales and distribution systems. PFL produces 15 different varieties of confectionary products and distributes them to the retail outlets through its own fleet of 30 vans. Every morning the products are dispatched from the warehouse in PFLs vans. Each van follows a pre-defined route for delivery of products to the retail outlets. Sales invoices are prepared manually by the salesmen. The original invoice is issued to the customer and a carbon copy is submitted to the Accounts Department, at the end of each trip. Individual accounts are maintained in respect of credit customers only. Each salesman deposits the cash amount on the basis of inventory delivered to him in the morning after adjusting the credit sales and the stock returned. The aggregate record of inventory received and issued is maintained on Excel Sheets by the Warehouse Superintendent. Required: Prepare a Sales Proposal for submission to PFL covering the following: (a) Weaknesses in the existing Van Sales Distribution System (VSDS). (03 marks) (b) The Tools and Technology available for automation of the VSDS with a brief description of how the system would work. (04 marks) (c) Any six advantages which would accrue to PFL after automation of the VSDS. (06 marks) Suggested Answer:(a) Possible weaknesses in the existing VSDS of PFL are as follows: (i) Lack of segregation of duties as the Warehouse Superintendent is maintaining the stock record. (ii) Data maintained by Superintendent in Excel sheets is vulnerable to changes. (iii) Possibilities of intentional over-charging by the salesman (fraud), resulting in customer dissatisfaction when the error is detected. (iv) Possibilities of errors such as inaccurate pricing and arithmetical inaccuracies. (v) The opportunity to track good cash customers is being lost by maintaining record of credit customers only. (vi) Itemized detail of products issued and returned is not maintained. (b) The tools and technologies available to automate the VSDS and their working is described below: (i) Handheld devices / PDAs (Personal Digital Assistants) or even new generation mobile phones may be used as front end (input device) to capture transactions electronically at different stages of transaction, i.e. loading of inventory, making sales / collection, collecting expired products etc. (ii) These devices would be supported with printers for issuing instant invoices / receipts / credit memos. (iii) At the end of trip, each salesman would place handheld computer / PDA in a Hub connected with the backend software which would instantly capture information from it onto the main database. (c) PFL could obtain following benefits after automation of its VSDS (i) Integration of Sales, Warehousing and Accounting will reduce errors in recording of sales and warehousing transactions. (ii) Reduce paperwork. (iii) Time saving from company as well as the customer point of view. (iv) Instant capturing of transaction from Front end device / PDA into Back Office Accounting system. (v) Management would have access to complete data relating to individual customers, categories of customers, region wise sales etc. (vi) Management would have better control over activities of Van Salesman and over expired / damaged products. (vii) Reduce administration cost i.e., cost of reconciliation of sales, inventories etc. (viii) Reduce errors, both intentional and unintentional. (ix) Effective inventory planning. (x) Increased motivation level of sales team.
15
(23) Question Background: Summer 2011, Q # 2, Syllabus Topic: Vivid Securities Limited (VSL) is a medium-sized stock brokerage house. A recent study of the internal operating procedures has convinced VSLs management of the need for rightsizing in all the departments. At present, the IT Department consists of eight employees as listed below: (i) System Analyst (ii) Software Developer (iii) Tape Librarian (iv) Database Administrator (v) Security Admin (vi) Network Admin (vii) Help Desk Officer (viii) Data Entry Operator VSLs management is of the opinion that certain functions can be consolidated to reduce the number of personnel in the IT Department. However, VSLs internal auditor is of the viewpoint that segregation of certain IT functions are of prime importance as their consolidation would compromise the security aspects of VSLs operations. Required: (a) Prepare a Separation of Duties Matrix for the above IT functions and identify the duties which, in your opinion, should not be clubbed together. (06 marks) (b) In the event it is considered necessary to combine the functions of Software Developer and Database Administrator, identify any four controls which in your opinion would mitigate the associated risks. (04 marks) Suggested Answer:(a) Separation of Duties
System Analyst SW Developer Tape Librarian DB Admin Security Admin Network Admin Help Desk Officer Data Entry Operator
System Analyst SW Developer Tape Librarian DB Admin Security Admin Network Admin Help Desk Officer Data Entry Operator Legend:
--------OK OK --------X X OK X X X OK X X X OK X OK=
X X X X --------OK OK --------X OK X X X X OK X Compatible Function
X OK X OK X X X X X X X OK OK X X X --------OK OK X OK --------X X OK X --------X X X X --------Incompatible Function X=
(b) If the role of Software Developer (SD) is to be combined with the role of Database Administrator (DBA), following compensating controls could be implemented: (i) Authorization: Mandatory written authorization from supervisory level for every change or amendment in the application program/database structure/database permissions. (ii) User Logs/Audit Trails: Generating complete un-editable log of DBAs activities. Such logs should not be accessible to DBA and SD and should be reviewed periodically by a supervisory authority. (iii) Exception reporting: Configure exception reports or alerts for activities other than normal, like overriding database default controls, mismatch application program version etc. These reports should be handled at the supervisory level on priority basis and should require evidence, such as initials on a report, noting that the exception has been handled properly. (iv) Supervisory reviews: Besides reviewing various logs, other supervisory reviews may also be performed through observation, inquiry and test checks etc. (v) Independent reviews: Independent reviews may be carried out by internal or external auditor etc. (24) Question Background: Summer 2011, Q # 3, Syllabus Topic: Internet has developed systems for storage and sharing of information in a convenient, efficient and economical manner. Consequently, various organizations have demonstrated widespread reliance on use of Internet facilities. However, storage and exchange of sensitive information on Internet exposes the organisation to various types of threats. A firewall is considered an appropriate safeguard for companies whose networks are connected to the Internet.
16
Required: (a) Distinguish between passive and active attacks. Briefly describe any three passive and three active attacks to which an organisation is exposed due to the connection of its network with the Internet. (08 marks) (b) Identify the primary functions of a firewall and briefly describe any three types of firewall. (09 marks) Suggested Answer:(a) In Passive Attack network information is gathered by probing/observing various activities performed through the network. When the attack is actually launched (either using the information gained through passive attack or otherwise) it is called Active Attack. Examples of passive attacks are as follows: Network Threat Explanation
The attacker gathers the information flowing through the network. (i) Eavesdropping Such information may include emails, passwords and in some cases keystrokes, in real time. The attacker determines the nature of traffic flow between defined (ii) Traffic analysis hosts and through an analysis of session length, frequency and message length. Such analysis enables the attacker to guess the type of communication taking place even if it is encrypted. Initially the attacker uses a combination of tools and techniques to (iii) Network analysis / build a repository of information about a particular companys foot printing internal network. Later, the attacker focuses on systems within the targeted address space that responded to these network queries when targeting a system for actual attack. Once a system has been targeted, the attacker scans the systems ports to determine what services and operating system are running on the targeted system, possibly revealing vulnerable services that could be exploited. Examples of active attacks are as follows: Network Threat Explanation (i) Masquerading (ii) Denial-of-service The attacker impersonates as an authorized user and thereby gains certain unauthorized privileges. It occurs when a computer connected to the Internet is flooded with data and/or requests that must be serviced. The machine becomes so tied up with these messages that it is rendered useless. The attacker launches an attack using any of the password breaking tools.
(iii) Brute-force attack
(b) Primary functions of a firewall are as follows: (i) Allows only authorized traffic to pass. (ii) Keeps information related to all access attempts undertaken. Different types of firewalls are described below: Router Packet Filtering: Such firewalls are essentially routers operating at OSI layer 3, using set access control lists (ACLs). Decisions are made to allow or disallow traffic based on the source and destination IP address, protocol and port number. Such type of firewalls can compare the header information in packets only against their rules. As a result they provide relatively low security as compared to other options. Stateful Inspection: They keep track of all packets through all OSI layers until that communication session is closed. It tracks communication (or sessions) from both internal and external sources. The rules are changed dynamically when an outbound connection is established to enable packets from the destination IP address to return back to origin. All other traffic is stopped from reaching origin computer, protecting it from dangers of the Internet.
17
Application Firewall: Such firewalls manage conversations between hosts, acting as an intermediary at the application level of the OSI model. All packets passing to the network are delivered through the proxy, which is acting on behalf of the receiving computer. The communication is checked for access authorization according to a rule-base and then passed on to the receiving system or discarded. The proxy receives each packet, reviews it, and then changes the source address to protect the identity of the receiving computer before forwarding. Proxy firewalls can look at all the information in the packet (not just header) all the way to the application layer. They provide greatest degree of protection and control because they inspect all seven OSI layers of network traffic. (25) Question Background: Summer 2011, Q # 4, Syllabus Topic: Marvi Hospital (MH) is a large sized hospital. It uses an integrated application for recording and maintaining the patients medical history. As the IS auditor of the hospital, data privacy is one of the major concerns requiring your attention. Required: List the key questions that you would like to ask for assessing the data privacy risks, to which MH may be exposed to. (10 marks) Suggested Answer:I would like to ask the following questions to assess the privacy risks being faced by MH: (i) What type of personal information does MH collect? (ii) What are MHs privacy policies and procedures with respect to collection, use, retention, destruction, and disclosure of personal information? (iii) What privacy laws and regulations impact MH? Are the policies revised in line with the revision in such regulations? (iv) Are the privacy policies properly circulated and signed off by all the employees? (v) Has MH assigned responsibility and accountability for managing a privacy program? (vi) What measures have been incorporated in the computer systems to ensure compliance with the privacy laws? (vii) In case any personal information collected by MH is disclosed to third parties, what safeguards and controls are applied? (viii) History of privacy breaches and action taken there off. (ix) Are employees properly trained in handling privacy issues and concerns? (x) Is compliance with privacy policy being monitored at appropriate levels? (xi) Does MH conduct periodic assessment to ensure that privacy policies and procedures are being followed? (xii) Does MH have adequate resources to develop, implement, and maintain an effective privacy program? (25) Question Background: Summer 2011, Q # 5, Syllabus Topic: Management of Wee Limited is dissatisfied with the performance of the IT function. It has hired you to carry out an objective assessment and recommend suitable measures for improvement. As part of your review you have interviewed key users and have tested the main procedures. The management has also provided you various important documents including strategies and plans, budgets, security policy, business continuity plan and organizational structure of the IT department.
Required: In respect of each of the above mentioned documents, describe the information that you would be interested in and how would it be used for the purpose of your review. (10 marks) Suggested Answer:-
18

Document 1. IT strategies and plans Target Information Details of management strategies and plans like: o IT objectives /targets o Long term/short term plans o Required resources

Purpose for which the information would be used Weather IT strategy is aligned with business strategy. Assessing effectiveness of long term planning. Assessing adequacy of requirement analysis. Assessing effectiveness of capacity management. Assessing the adequacy of budget. Instances of budget overruns. Assessing effectiveness of resource utilisation.
2.
IT budgets
3.
Security policy
4.
Business Continuity Plan
5.
Organization al structure of IT department
Allocated funds / Comparison of actual fund utilised last year with allocated funds Details of cost of procurement, and other recurring costs. Details of security plans and Assess whether the security policy is standards introduced by the comprehensive enough to cater to all management. current and anticipated risks (adequacy of controls). Assessing whether regular updation and documentation of key policies is being carried out. Evidence of the process of Assess effectiveness and adequacy of risk assessment. plan. Disaster recovery Assess adequacy of procedures. procedures and plan Assess the level of awareness among the Evidence of testing and staff regarding their roles and updation. responsibilities. List of key persons. Management reporting lines Identify persons responsible for the Structure of segregation of safeguarding of IT assets duties Identify possible conflicting duties Identify possible reliance on one or two key personnel or lack of succession plans.
(26) Question Background: Summer 2011, Q # 6, Syllabus Topic: Bright Solutions Limited (BSL) is a leading firm of software developers and services providers. It runs various critical applications for its clients, most of which operate on 247 basis. In view of the sensitive nature of its IT operations, BSL is entering into a contract whereby Shiny Limited would be responsible to provide hot site facility to BSL at an agreed cost. Required: Identify the key factors which should be considered by BSL prior to entering into the hot site agreement. (10 marks) Suggested Answer:BSL should consider the following key factors before entering into hot site agreement with SL: (i) Configuration: are the SLs hardware and software configurations adequate to meet BSL needs? (ii) Disaster: Is the definition of disaster agreed by SL broad enough to meet anticipated needs of BSL? (iii) Environmental/Social/Political Risk: If BSL and SL are at significantly different locations, they may have different level and nature of environmental/social/political risks. (iv) Speed of Availability: How soon after the disaster, will facilities be available to BSL? How much advance notice is required for using the facility?
19
(v) Number of Subscribers: Does SL define any limit to the number of subscribers at the facility offered to BSL? (vi) Preference: Does SL agree to give BSL preference if there is a common or regional disaster? Is there any backup of the hot site offered by SL? Does the SL have more than one facility available for its clients? (vii) Insurance: Is there adequate insurance coverage for BSLs employees at the SLs site? Will existing insurance company of BSL reimburse those fees? (viii) Usage Period: For how long SLs facility would remain available for use? Would it remain available for an adequate time? Are there certain times of the year, month etc when SLs facilities are not available? (ix) Technical Support: What kind of technical support will SL provide? Does it seem adequate? (x) Communications: Are the communication connections to the SLs site sufficient to permit unlimited communication with it, if needed? (xi) Warranties: The type of warranties that would be provided by SL regarding availability of the site and the adequacy of facilities? (xii) Confidentiality Measures / Controls: Are there adequate controls implemented by SL to ensure confidentiality of BSLs data? (xiii) Audit: Is there a right-to-audit clause in the contract, permitting an audit of the site to evaluate logical, physical and environmental security? (xiv) Testing: IS SL ready to allow periodic testing of its facility and equipments? (27) Question Background: Summer 2011, Q # 7, Syllabus Topic: Golden Chemicals Limited (GCL) is engaged in the business of trading of industrial chemicals. GCL makes extensive use of information technology in various routine business operations and has adequate controls over input, output and processing of data. However, GCL has witnessed rapid growth during the past few years and consequently the management feels that it needs to strengthen the process of monitoring. It has therefore decided to hire a senior person with the sole responsibility of strategic planning, development and monitoring of IT function. Required: (a) Give reasons, which in your opinion, may have prompted the management to take the above decision. (03 marks) (b) List possible advantages that GCL may expect to obtain, after implementation of the above decision. (06 marks) Suggested Answer:(a) The rapid growth witnessed by GCL may have significantly changed the companys IT Governance structure. On account of any one or more of the following reasons the management could have been inclined to hire a senior person: (i) The requirement of IT facilities such as manpower, hardware and software etc may have increased significantly resulting in higher costs and their significance for the company requiring closer monitoring. (ii) The companys processes and functions may have become more complex involving higher risk and therefore requiring implementation of additional and more advanced controls. (iii) The companys reliance on IT systems may have increased and therefore enhancing the need for Business Continuity Planning. (b) GCL may obtain following advantages after hiring a senior person with the sole responsibility of strategic planning, development and monitoring of IT function: (i) Aligning the IT objectives with the business objectives. (ii) Better and more effective controls on costs and wastages. (iii) More efficient use of resources. (iv) More effective risk management policies. (v) Better documentation. (vi) Better policies related to staff motivation and retention. (vii) Better compliance of internal policies/procedures and external regulations. (viii) Improved incident reporting and handling. (ix) Improved Business Continuity Planning.
20
(28) Question Background: Summer 2011, Q # 8, Syllabus Topic: Sunny Bank Limited (SBL) has recently entered into an arrangement with Glitter Inc. (GI), which provides facilities for world-wide transfer of funds. GI has installed a dedicated system application covering all branches of SBL, for electronic transfer of funds and interchange of data. The installed application will run over a Value Added Network. Required: As the SBLs Internal IS Auditor, identify and briefly explain any twelve controls which you would look for, in the GIs application. (12 marks) Suggested Answer:I would look for the following controls while reviewing the GIs application: (i) Internet encryption processes put in place to assure authenticity, integrity, confidentiality and nonrepudiation of transactions. (ii) Edit checks to identify erroneous, unusual or invalid transactions prior to updating the application. (iii) Additional computerized checking to assess reasonableness and validity of the transactions. (iv) Assess whether all inbound/outbound transaction are being logged. (v) Check whether total number and value of transactions as reported by various branches are being reconciled with the totals communicated by GI. (vi) Segment count totals built into the transactions set trailer by the sender. (vii) The system has inbuilt controls whereby amounts remitted but not acknowledged by SBL within a specified time are investigated by GI. (viii) Any change in GIs receiving centres details are duly approved and promptly documented. (ix) Receiving centres code is matched automatically by the syst em with the approved list, prior to each transaction. (x) Approval limits have been assigned to the concerned users and are verified by the system before executing each transaction. (xi) Initiation, approval and transmission responsibilities for high risk transactions are appropriately segregated. (xii) Management sign-off on programmed procedures and subsequent changes are appropriately documented. (xiii) Reporting of large value or unusual transactions for review, prior to or after transmission. (Exception reporting) (29) Question Background: Summer 2011, Q # 9, Syllabus Topic: Brilliant Bank Limited is a large commercial bank. It has a progressive management which seeks pride in offering innovative services to its clients. New applications are developed on a regular basis with the objective of achieving high degree of customer satisfaction. On the recommendation of the newly appointed HR Director, the management wants to develop Key Performance Indicators (KPIs) in all critical areas. Required: List any three KPIs in respect of each of the following areas: (a) IT projects performance (b) IT operational support (c) IT infrastructure availability (d) IT security environment (09 marks) Suggested Answer:(a) Project performance (i) Ratio of projects completed on time. (ii) Ratio of projects completed within budget. (iii) Ratio of projects meeting functionality requirements. / Users satisfaction rating. (b) IT operational support (i) Average time taken to respond to customers complaints. (ii) Ratio of number of problem reported and resolved/unresolved. (iii) Percentage of customers satisfaction over support services. (Through survey form)
21
(c) IT infrastructure availability (i) Number of system downtime (per unit time i.e. per hour, per day, per week etc.) (ii) Mean time between failures. (iii) Number of customers complaints about non-availability of online facilities. (d) IT security environment (i) Percent increase/decrease in security breaches/incidents reported. (ii) Mean time to resolve critical security issues. (iii) Level of customers awareness of risks and controls. (Through survey form) (30) Question Background: Winter 2010, Q # 1, Syllabus Topic: Modern Hospital (MH) has ninety computers, including three servers, which are connected through LAN. There is one vacant network point in each department and in each of the four wards. Senior doctors use these points for connecting their laptops to the network to view patients history. Internet facility is available to all users through LAN. Entrance to server room is through IT Managers room. MH has deployed customised user access control software developed by a local software house. Required: (a) Identify any five physical access controls which could help to ensure physical security of the server room. (05 marks) (b) Identify six general functions which user access control software deployed at MH should contain. (03 M) (c) List the type of information (seven points) that you would require to assess M Hs logical access controls. (07 marks) Suggested Answer:(a) Following physical controls may help to ensure physical security of the server room: (i) Installation of a biometric/electronic door lock at the entrance. (ii) Manual / electronic log of all people accessing the server room. (iii) Review of such logs by an appropriate authority. (iv) Installation of surveillance cameras in the server room to monitor the entrance and the room. (v) All visitors such as outside technical support persons are escorted by an authorized employee during their stay in the server room. (b) The user access control software of MH should contain the following general functions: (i) Creating user ID and password. (ii) Creating or changing user profile. (iii) Applying user login limitation rules. (iv) Assigning and verifying user authorization to applications/transactions. (v) Logging events. (vi) Reporting exceptions. (c) While assessing logical access controls of MH, knowledge of following information would be useful: Whether; (i) There is a proper Information Security Policy in place? (ii) The Information Security Policy has been communicated to all users? (iii) A proper User Authorization Matrix (UAM) is in place? (iv) And how the patients history is updated and whether there is proper segregation principle in place between updating patient history and reviewing it. (v) There is limit to the senior doctors rights. Besides patients history, can they access other departments data as well? (vi) The empty network ports in wards and other departments can be used for accessing data other than patients history? Can patients history be edited from these ports? (vii) There is a system to handle logical access breaches / attempts to logical access breaches.
22
(31) Question Background: Winter 2010, Q # 2, Syllabus Topic: Shakeel Enterprises Limited (SEL) is in the process of computerising its payment function. The system would consist of two modules, one pertaining to purchase of goods and the other for all remaining payments. The present system of payments against goods involves the following key processes: Purchase Order (PO) is raised by the Purchase Department. On receipt of goods a Goods Received Note (GRN) is prepared by the Store In-charge. The Accounts Officer processes the suppliers Invoice by matching the quantities purchased and price with GRN and PO and checking arithmetical accuracy of the Invoice. The payment voucher and cheque is prepared by Senior Accounts Officer and the cheque is finally signed jointly by the Finance Manager and a Director of the company. Required: List the significant controls that SEL should incorporate while computerising the payment of goods. (07 marks) Suggested Answer:SEL should incorporate the following controls while computerizing its payment function: (i) Data entry of Purchase Order (PO), Invoice, and Goods Received Note (GRN) should be made by different users using their own IDs and passwords. (ii) The authority limits should be assigned to the authorized persons in line with companys policy. (iii) The POs and GRNs should have computer generated numbers and date. (iv) The computer system should match the details on the PO, Invoice and GRN. (v) The system should check the accuracy of computations. (vi) The system should prepare the cheque for manager to sign. (vii) Reports of POs and GRNs issued should be electronically reviewed by a senior officer at regular intervals. (viii) The system should prepare exception reports such as POs/Invoices outstanding for longer than a certain time period. (32) Question Background: Winter 2010, Q # 3, Syllabus Topic: Manifold Corporation Limited (MCL) provides services of various nature including data entry, data archiving, bulk printing, customised software development and web hosting. Recently there has been an increase in the number of complaints regarding slow response, lost data, long call handling times and even breach of some service level agreements during evening hours. The Customer Services Director believes that over a period of time, the systems deployed at MCL have been overburdened and need significant upgrading. Consequently, the management intends to carry out a capacity management audit before reaching a final decision. Required: Briefly describe: The concept of capacity management and when it is undertaken. How could a capacity management audit be useful for MCL at this stage? The type of information you would like to gather while carrying out the capacity management audit. (10 marks) Suggested Answer: Concept of Capacity Management and when it is undertaken: It is the planning and monitoring of the computer resources to ensure that sufficient resources are available and are being used efficiently and effectively. Initially, this process is undertaken at the design stage as part of companies strategic planning. However, it is a continuous process and should be carried out at regular intervals. Since Customer Services Director suggests upgrading the systems, capacity management audit would help to evaluate his suggestion and would give justification for accepting or rejecting the same. Following type of information is useful to gather while conducting a capacity management audit: (i) Specification of existing resources
23
(ii) Current and projected CPU utilization, computer storage utilization, telecommunication and wide area bandwidth utilization (iii) Information related to response time and processing time (iv) Average number of users connected during peak and off peak hours (v) Incident management reports regarding IT infrastructure. More incidents may indicate low capacity systems which might not be meeting the demand. (vi) Analysis of complaint call log / system log, audit trails etc. according to: Types of complaints: an exceptionally high proportion of similar types of complaints may indicate a capacity management issue. Timing: a high number of complaints during a specific time may also indicate the issue. By customers: an exceptionally high number of complaints from a particular customer or a certain type of
customers may be indication of problems of specific nature.
(33) Question Background: Winter 2010, Q # 4, Syllabus Topic: Utopia Limited is following System Development Life Cycle (SDLC) approach for development of their core business application. The management wants to ensure that all necessary controls are in place and the work is progressing according to pre-conceived standards. As IS auditor of the company, you have been assigned to carry out a concurrent review of all stages of SDLC. Required: List key steps that you would perform while reviewing: (a) Feasibility study, functional requirements and system specifications. (06 marks) (b) Testing and implementation phase. (08 marks) Suggested Answer:(a) While auditing the feasibility study, functional requirements and technical specifications I would: (i) Evaluate if alternative systems were considered before selecting the proposed system, (ii) Determine if the information needs of strategic management, employees, customers and other business stakeholders have been analyzed, (iii) Evaluate whether the proposed system would be able to meet the business requirements, (iv) Evaluate if the cost justification/benefits are verifiable and based on appropriate parameters, (v) Evaluate the reasonableness of documentation produced during system investigation, analysis and design phases, (vi) Evaluate if the specifications developed for the hardware, software, people, network and the information products satisfy the functional requirements of the proposed system, and (vii) Check if a project management plan has been made and approved by the management. (b) While auditing the testing and implementation phase, I would: (i) Review the test plan for completeness with evidence that user has participated actively. (ii) Review the signoff documents to make sure all areas have been tested by right users. (iii) Interview users for their understanding and level of participation. (iv) Check if users training have been conducted. (v) Perform some parallel testing to evaluate users testing results. (vi) Review system documentation to ensure that all updates from the testing phase have been incorporated. (vii) Verify all conversions of data to ensure they are correct and complete before the system is implemented. (viii) Make sure that backup procedure is in place, in case implementation fails. (ix) Selection of correct timing for implementation considering level of business activity and peak times. (34) Question Background: Winter 2010, Q # 5, Syllabus Topic: Excellent Services Limited is a reputed organisation which handles important and sensitive data of its clients. The management is aware that a security breach can jeopardize the relationship with their clients. It has therefore hired you as a consultant to assess the Information Security needs of the company. Required: As the Consultant, draft a presentation containing the following: (a) List of critical success factors of an effective Information Security Management System. (05 marks) (b) Explanation of Information Security Governance and its benefits. (05 marks)
24

Suggested Answer:-
(a) The critical success factors for an effective information security management system include: (i) A strong commitment and support by the senior management. (ii) Comprehensive program of formal security awareness training. (iii) Professional risk-based approach should be used systematically to identify sensitive and critical information resources. (iv) Risk assessment activities should be undertaken to mitigate unacceptable risks. (v) Responsibilities and accountabilities should be clearly defined in the information security policies and procedures. (b) Information security governance is a subset of corporate governance that provides strategic direction for security activities and ensures objectives are achieved. It ensures that information security risks are appropriately managed and enterprise information resources are used responsibly. Benefits of IT Security Governance (i) Increased predictability and reduced uncertainty of business operations. (ii) Protection from the potential for civil and legal liability. (iii) Assurance of security policy compliance. (iv) Foundation for effective risk management. (v) Provides a level of assurance that critical decisions are not based on faulty information. (vi) Accountability for safeguarding information. (35) Question Background: Winter 2010, Q # 6, Syllabus Topic: EQU has experienced considerable increase in revenue and business during last three years. The company has reached a stage where it is getting extremely difficult for the management to focus on its core activities while putting enough time on associated support areas. On the advice of their consultant and after prolonged deliberations, the management has finally decided to outsource certain non-core activities. Required: The management is presently outsourcing the IT function and has asked you to: (a) Identify the factors that EQU should consider while selecting its outsourcing partners. (09 marks) (b) Identify the steps that EQU would need to take for monitoring its relationship with the outsourcing partners. (04 marks) Suggested Answer:(a) EQU should consider following factors while selecting a vendor as its outsourcing partner: (i) Financial viability through its past annual reports and market feedback (ii) Commitment to quality through its existing clients and market feedback. (iii) Awareness & training the vendor arranges regular awareness and training session for its employees. (iv) Controls in place for disaster recovery and continuity of operations. (v) Comprehensive insurance and commitment to compensate the clients loss. (vi) Access controls and security administration at the vendors premises. (vii) Change management and testing procedures in place. (viii) Additional value added capability/services offered by the vendor. (ix) Prices offered by the vendor for its deliverables in comparison with others. (x) Location of vendors business. (b) EQU would need to take following steps for effective monitoring of its relationship with the outsourcing partner: (i) EQU should make comprehensive Service level Agreements (SLAs) with its outsourcing partners incorporating appropriate clauses to facilitate subsequent monitoring. (ii) Assign specific responsibilities for coordination and monitoring. (iii) Periodic assessment of the outsourcing partner should be carried out by comparing actual performance with the benchmarks agreed in the SLAs. (iv) The agreed benchmarks should be reviewed periodically to bring them in line with the latest trends and standards.
25
(36) Question Background: Winter 2010, Q # 7, Syllabus Topic: Calm Limited has been using customised accounting software for the past many years. The management has now decided to implement ERP in the company. The objective is to have an integrated real time view of the companys core business activities to achieve efficient processing, better management, improved customer satisfaction and profit maximisation. However, the idea has not been welcomed by many employees in the company. Required: (a) Briefly describe the factors that may lead to users resistance during ERP implementation and what measures should be taken to overcome such resistance. (06 marks) (b) Elaborate five factors that may result in failure of the company to achieve the objectives of ERP implementation. (05 marks) Suggested Answer:(a) Factors that may provoke user resistance and measures to overcome them are described below: (i) Reluctance to change: Most users are reluctant to change as they get used to particular style of working and feel uncomfortable when they are required to learn new methods and procedures. This problem can be overcome by: User involvement in the implementation phase Persuasion By providing incentives Follow modular or phased approach for change over (ii) Change in user interface: Change in user interface may generate user resistance. It can be controlled by: Improving user interface as far as possible User training and education Explaining the finer points of the system which facilitates the user. (iii) Organizational changes: Implementation of the system often results in organizational changes that users resist e.g., reduced chance of bonuses, redundancies, monotonous work. It can be controlled by: Redesigning any affected incentive schemes, to incorporate the new system. Giving confidence to the employees as regards continuity of their employment. (b) Following factors may result in failure of the company to achieve the objectives of ERP implementation. (i) Poor or non-existent planning is a recipe for disaster. Unrealistic deadlines would be identified much earlier if a proper planning process is undertaken. (ii) Poor supervision and control of progress of implementation. (iii) Frequent changes demanded by the users result in excessive cost to the system which is being developed. (iv) Lack of management commitment. (v) Improper management of resistance of users. (vi) Failure to modify or change some of the existing procedures according to the ERP requirements. (37) Question Background: Winter 2010, Q # 8(a), Syllabus Topic: Briefly describe the role of an Audit Charter and the key aspects addressed by it in an internal information systems audit function. (07 marks) Suggested Answer:An audit charter is used to clearly document the formal acceptance of IS auditors mandate to perform the IS audit function. Key aspects addressed by an Audit Charter in an internal information system audit functions are as follows: (i) Purpose Role, objective and scope of the audit function are defined.
26
(ii) Responsibility Operating principles, independence, relationship with external audit, audit requirements, critical success factors, key performance indicators, other measures of performance and risk assessment are defined. (iii) Authority Rights of access to information, personnel, locations and systems relevant to the performance of audits are defined. Any limitation of scope, functions to be audited and audit expectations are generally described. (iv) Accountability Reporting lines to senior management, assignment performance appraisals, independent quality reviews, compliance with standards and assessment of completion of the audit plan are described in the audit charter. (38) Question Background: Winter 2010, Q # 8(b), Syllabus Topic: Identify the important matters which an IS Auditor would consider while selecting a Computer Assisted Audit Technique. How could greater productivity and improved quality of audits be achieved through CAATs? (06 marks) Suggested Answer:An IS Auditor would consider the following important matters while selecting a Computer Assisted Audit Technique. (i) Ease of use. (ii) Capacity to handle data. (iii) Efficiency of analysis. (iv) Level of training required. (v) Effectiveness in preventing and/or detecting frauds. (vi) Cost and licensing structure. Greater productivity and improved quality of audits may be achieved through CAATs as: (i) Automated repetitive tasks reduce the time required for audits. (ii) More time is available for critical functions. (iii) Project documentation is simplified. (iv) CAATs can analyze entire data for audit period, thereby reducing the audit risk. (v) Integrity of analysis is assured. (vi) Audit methodologies are standardized. (39) Question Background: Winter 2010, Q # 9, Syllabus Topic: ABC Limited has recently set up a data processing centre for one of its clients in a small city. It is in the process of finalising insurance policy for the information systems processing facilities at its new office. Identify and briefly describe any seven types of risks that may be insured. (07 marks) Suggested Answer:Following types of risks, related to information systems processing facilities, may be insured: (i) IS Facilities provides coverage about physical damage to the information processing facilities. (ii) IS Equipments provides coverage about physical damage to the owned equipment. (iii) Media (software) reconstruction covers damage to IS media that is the property of the insured and for which the insured may be liable. (iv) Extra expense designed to cover the extra costs of continuing operations following damage or destruction at the information processing facility. (v) Business interruption covers the loss of profit due to the disruption of the activity of the company caused by any malfunction of the IS Organization. (vi) Valuable papers and records covers the actual cash value of papers and records on the insured premises, against direct physical loss or damage. (vii) Errors and omissions provides legal liability protection in the event that the professional practitioner commits an act, error or omission that results in financial loss to a client. (viii) Fidelity coverage usually covers loss from dishonest or fraudulent acts by employees. (ix) Media transportation provides coverage for potential loss or damage to media in transit to offpremises information processing facilities.
27
(40) Question Background: Summer 2010, Q # 1, Syllabus Topic: Cute N Elegant (CNE) is a highly progressive and a large garment manufacturing company. You have recently joined as its IT Manager. After reviewing the system you had a meeting with the CEO and the General Manager (GM) in which you explained the need to develop a formal IT strategy for the company. The CEO seemed to understand your point of view. However, the GM argued that the companys systems are performing well. The company is making extensive use of IT in the areas of finance, production, marketing and HR. The departmental heads are satisfied and feel that information being generated by the system is quite useful and adequate for their decision making needs. The GM therefore seemed to disagree with you. Required: The CEO has asked you to prepare a note explaining the following: (a) Why is it important for CNE to develop an IT strategy? (04 Marks) (b) The aspects which should be considered while developing the IT strategy. (05 Marks) (c) The typical contents of an IT plan. (06 Marks) Suggested Answer:(a) The management of CNE should develop a strategy for information technology because: (i) IT is a high cost activity and therefore lack of a coherent strategy is likely to lead to expensive mistakes. (ii) IT is critical to the success of CNE because IT is a strategic activity in CNE as most of its departments are using IT for most of their work. (iii) Proper management of IT could lead improved services for all levels of management as well as other stakeholders. (iv) It helps to align the IT function with overall business strategy of the company. (v) It plays an important role in effective and efficient use of IT resources. (vi) It helps in planning the flow of information and processes. (vii) It helps in reducing the time and expense of the information systems life cycle. (b) Following aspects should be considered while developing an overall IT strategy: (i) Vision, mission and business objectives of the company. (ii) The key business areas that could benefit most, from an investment in IT. (iii) Cost of systems i.e., software, hardware, management commitment and time, education and training, conversion, documentation, operational manning, and maintenance. (iv) What should be the criteria for performance measurement of IT function? (v) Implications of the proposed strategy on the existing work force. (c) The typical contents of an IT plan are as follows: (i) A statement containing the main points of the plan.(Executive Summary) (ii) Overall organization goals. (iii) How information systems and information technology contributes to attaining these goals. (iv) Key management decisions regarding hardware, software, data and telecommunications. (v) Outline for new application areas being planned. (vi) Specific dates and milestones relating to IT projects. (vii) Financial information such as budget and cost benefit analysis. (41) Question Background: Summer 2010, Q # 2, Syllabus Topic: Clay & Stones Limited makes stone jewellery, clay pots and decoration pieces depicting the Indus Valley civilization. It has sales outlets in two major cities of the country. Due to increasing interest of tourists in its products, the management has started a project to launch an e-commerce enabled website. The management has appointed you as their consultant for this project. Required: (a) Develop a questionnaire to be filled by the management, in order to enable you to carry out the following: (i) Ascertain the viability of the project. (ii) Determine the resources required to host the website. (iii) Plan the customer services and support requirements. (09 Marks) (b) Suggest suitable measures to ensure that the website remains (i) secure, (ii) updated and (iii) available. (06 Marks)
28

Suggested Anser:-
(a) Questionnaire Project Viability (i) What is the estimated capital expenditure and recurring costs? (ii) What advantages will CSL gain from becoming accessible on the web? (iii) What disadvantage(s) might CSL encounter from becoming accessible on the web? (iv) What are the legal requirements/restrictions imposed by the government which must be met? Required Resources (i) What hardware will be required? Has it been arranged? (ii) What software would be required? Has it been purchased? (iii) What type of communication service (Email, discussion board, phone, toll free number, and postal mail) would be used? (iv) What type of security services/protocols would be required? (SSL, SET and IPSEC etc.) Customer services and support requirements (i) What support would be available to customers (FAQs, query via email, online chat, toll free number)? (ii) How would the orders be fulfilled/delivered? (iii) What payment options would be available to customers (check, credit/debit card, electronic funds transfer)? (iv) Which currencies would CSL accept for payment? (v) How would CSL handle custom duties? (vi) Would CSL offer import and export assistance to its customers? (vii) Which other languages (if any) could/should be made usable on the website? (b) Suggested measures to ensure that website remains secure, update and available Security (i) If site maintenance and support is outsourced, get appropriate non-disclosure agreement signed. If maintenance and support is in-sourced, get non-disclosure agreement signed by all members of team. (ii) For the security of customers transactions, implement appropriate standards and protocols like Open Buying on the Internet (OBI), Open Trading Protocol (OTP), and Secure Electronic Transaction (SET) Protocol etc. (iii) Get the transaction area be protected with Secure Socket Layer (SSL). (iv) Get the website security mechanism and related procedures certified by an independent audit firm. (v) Define appropriate policies and procedures for privacy and confidentiality issues. (vi) Document the mechanism for securing the website and get it approved from appropriate authority. (vii) Appoint external information system auditors for periodic audits of website security. Update (i) Identify the events/activities/actions that require updating the website contents. (ii) The departmental heads shall be made responsible for keeping the respective information on the website updated. (iii) A senior officer should be assigned the responsibility for periodic review of the website to ensure that information given there is current. Availability (i) If maintenance and support is outsourced, get appropriate service level agreement signed. If maintenance and support is in-sourced, appoint appropriate team for 24X7 schedule. (ii) Make arrangements for a suitable help desk function. (iii) Prepare and test disaster recovery and business continuity plans. (iv) Periodically monitor website traffic and its response in peak hours. (42) Question Background: Summer 2010, Q # 3, Syllabus Topic: Star Link Limited is a large Internet Service Provider with presence in far flung areas of the country. Due to a landslide one of its offices situated in the northern part of the country has been badly damaged. The process of recovery from the disaster has just been completed.
29
Required: Explain how you would review the post event compliance by the concerned office with the business continuity plan of the company. (04 Marks) Suggested Answer:To assess the post event BCP compliance by the concerned office, I would conduct users/staff interviews and assess related documentary evidence to check: (i) Whether the role and responsibilities assigned to various individuals, were duly carried out? (ii) Whether the action plans forming part of the BCP were carried out as envisaged? (iii) Whether the services were restored within the expected time as specified in the BCP? (iv) Were appropriate mitigating exercises carried out? (43) Question Background: Summer 2010, Q # 4, Syllabus Topic: You have been appointed by Peak Bank Limited to review various controls over its nationwide money transfer service which has been launched recently. To avail the service it is not necessary for the customers to open an account or even to visit the bank premises. PBL has authorized various merchants to execute the transactions. Customers are required to fill a form containing the following fields: Name of sender CNIC # of sender Mobile/Phone number of sender Name of receiver CNIC # of receiver Mobile/Phone number of receiver Amount to be sent To initiate the transaction, the merchant logs on to the banks website using his ID and password and enters the transaction details. The sender is then requested to enter a password which he has to communicate to the receiver. Transaction confirmation alerts are received by the sender as well as the receiver, on their mobile phones. The receiver is required to visit his nearest authorized merchant to collect the money. He receives the money on showing his original CNIC, transaction confirmation SMS and the password set by the sender. Required: Explain how you would evaluate the following types of controls relating to the above situation: (a) Input Controls (05 Marks) (b) Transmission and System Failure Controls (07 Marks) Suggested Answer:(a) Input controls We would evaluate whether the following types of controls are in place: (i) The system ensures that all validated fields are entered. (ii) The system highlights/reports amounts outside of the expected range. (iii) There are appropriate controls to ensure that no values beyond the expected limits are accepted. (iv) There are appropriate controls to ensure that the total value of messages is within an agreed (daily) limit. (v) Transaction amount and receivers CNIC are keyed-in twice at the time of transaction initiation. (vi) The initiating merchant checks the transaction detail with the originating document before finally submitting it to the banks website. (vii) The system generates control totals for number and value of messages input, and checks them against input records. (viii) Sequence of fields on the form at the banks website should be same as in the printed form to be filled by the sender. (b) Transmission and system failures controls We would evaluate whether the following types of controls are in place: (i) In case of message interruption during transmission, whether the system provides a record / acknowledgement of accepted messages. (ii) Whether there are written procedures for the retransmission of non-accepted messages. (iii) Whether list of all messages is reconciled with list of accepted and list of rejected messages. (iv) Whether an incident log is kept for all interruptions. (v) Whether there are controls to prevent duplication of message processing following system recovery. (vi) Are appropriate procedures in place to address an abrupt failure when the senders message is being processed and the initiating merchants system is not restored within reasonable time?
30
(vii) Is proper helpline service available? (viii) Whether interruptions are reviewed. (ix) Whether the communications protocol uses error-detection/correction techniques. (x) Whether the system generates any check-sums, control totals etc. (xi) Whether UPS, alternative hardware resources and other necessary backup equipments are in place? (44) Question Background: Summer 2010, Q # 5(a), Syllabus Topic: Briefly explain the term Single Sign-on. Suggested Answer:SINGLE SIGN-ON: Single sign-on (SSO) is a user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications whose rights have been given to him and eliminates further prompts when they switch applications during a particular session. The information resource or SSO server handling this function is referred to as the primary domain. Every other information resource, application or platform that used those credentials is called a secondary domain. (45) Question Background: Summer 2010, Q # 5(b), Syllabus Topic:
Narrate three advantages and three disadvantages of using Single Sign-on policy.
(03 Marks)
(06 Marks)
Suggested Answer:SSO advantages include: (i) It reduces the time taken by users to log into multiple applications and platforms. (ii) Multiple passwords are no longer required; therefore; a user may be more inclined and motivated to select a stronger password. (iii) It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications. (iv) It improves an administrators ability to manage users accounts and authorizations to all associated systems. SSO disadvantages include: (i) The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organizations information assets. (ii) The costs associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary. (iii) Support for all major operating system environments is difficult. SSO implementations will often require a number of solutions integrated into a total solution for an enterprises IT architecture. (46) Question Background: Summer 2010, Q # 6, Syllabus Topic: To secure the most competitive prices, the IT Manager of Natural Pharmaceuticals Limited has suggested that annual IT requirements as approved in the budget should be purchased in bulk at the start of the year. One of the Directors is however of the view that such a practice would not be in the best interest of the company. He has recommended introducing a suitable cost charge out method for controlling the IT expenses. Required: (a) List three benefits and three drawbacks of the system of bulk purchasing as recommended by the IT Manager. (06 Marks) (b) Briefly explain any two methods of charging IT costs. Give three advantages and three disadvantages in each case. (08 Marks) Suggested Answer:(a) Benefits of Bulk IT procurement process (i) Standardization of IT equipment. (ii) Higher discounts. (iii) Better terms related to support and maintenance. Drawbacks of Bulk IT procurement process
31
Purchasing IT equipments for the entire year in one go may not always be advisable, because: (i) Of higher cost of capital (financing). (ii) Warranty of equipments start from the date of delivery, irrespective of the fact whether they are used six or seven months later. (iii) The equipment may become relatively obsolete by the time it is actually used. (b) The two methods of charging IT costs are as follows: (i) Market-based charge out method Under market-based methods, the IT department acts as a profit centre. It sets its own prices and charges for its services with the aim of making a profit. Advantages of the market-based charge out method include: 1- The efficiency of the IT department has to improve otherwise the user departments have the right to demand external standards of service. 2- It encourages an entrepreneurial attitude. IT managers are in charge of a department that could make a profit this helps to motivate them. 3- A true picture of user departments financial performance is obtained as the IT costs charged to each department are based on market-rates. Disadvantages of the market-based charge out method include: 1- It can be difficult to decide on the charge out rate, particularly if there is no comparable service provider outside the organization. 2- If user feel rates are excessive, they may reduce their usage to below optimal levels, and relationships between the IS/IT department and user departments may become strained. 3- Even if the service provided is poor, it may not be in the organizations interest for user departments to buy from outsiders because the IT functions fixed costs still have to be covered. (ii) Inclusion as an administrative overhead Under this system IT costs are treated as a general administrative expense, and are not allocated to user departments. Advantages of this approach are: 1- It is simple and cheap to administer, as there is no charge out system to operate. 2- May encourage innovations and experimentation as user-departments are more likely to demand better quality systems if they will not bear any cost. 3- The relationship between IS staff and user departments is not subject to conflict over costs. Disadvantages of this approach are: 1- User departments may make unreasonable and economically unjustifiable demands. 2- Any inefficiencies within the IT department are less likely to be exposed as user departments will not be monitoring cost levels. 3- A true picture of user departments financial performance is not obtained, as significant costs attributable to that department are held in a central pool. (47) Question Background: Summer 2010, Q # 7, Syllabus Topic: Tripod Financial Holdings (TFH) is a well-known financial institution with a large number of clients. Security of clients data is the top most priority of TFH. Besides implementing appropriate logical and physical controls, the management uses various techniques to keep the employees updated on security issues. Required: As the IT Manager of TFH, write a memo to the relevant employees as regards the following: (a) The concept of social engineering and how it is carried out. (03 Marks) (b) The technique of Phishing and the ways to avoid it. (05 Marks) Suggested Answer:(a) Social Engineering is the act of interacting with people and deceiving them to obtain important/sensitive information or perform any other act that is harmful. A social engineer can use the phone, the Internet, or even show up personally to induce a person to disclose ID number, username, password, server name(s), machine name(s), remote connection settings, schedules, credit card number(s) etc.
32
Piggybacking, shoulder surfing, faux service, dialling for passwords, bribery, fascination and bullying are some examples of social engineering. (b) Phishing attacks use email or malicious web sites to solicit personal, often financial, information Attackers may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. Phishing can be avoided by taking following measures: (i) Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. (ii) Do not provide personal information or information about your organization, unless you are certain of a person's authority to have the information. (iii) Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. (iv) Don't send sensitive information over the Internet before checking a website's security. (v) Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). (vi) Ongoing security awareness program can be helpful in creating awareness among employees about phishing attacks. (48) Question Background: Summer 2010, Q # 8, Syllabus Topic: The IT department of Boom Brokerage House (BBH) consists of five employees. BBH has a network of 100 computers. The information processing system is centralized. Internet and e-mail facility is available to selected users. You are conducting the information system audit of BBH. While interviewing users and observing various processes, you learned that: CEO of the company has wide experience of investment and commercial banking with working knowledge of IT. Sensitive data is available only to the CEO and few senior management personnel. However, only CEO has the password to open the sensitive database in edit mode. After entering the password, the necessary editing is carried out by the IT Manager. Domain accounts of users are created by Assistant Manager IT and their initial passwords are communicated to them verbally. Users can change their passwords whenever they want. However, they cannot repeat their last five passwords. The passwords can have a maximum of 32 characters but there is no minimum limit. Users can log in from any terminal and are allowed to log in from a maximum of two terminals at a time. Clients data is accessible to users according to their job descriptions. Job descriptions are defined by the HR department in consultation with the relevant departmental heads and are finally approved by the CEO. Additional rights are allowed on need to have basis, on verbal instructions of the CEO. Administrator password of the domain is shared between IT Manager and his Assistant Manager, for maintenance and support purposes. Required: Identify six risks and the consequences thereof, in the above scenario. Specify at least one mitigating control in each case. (12 Marks) Suggested Answer:Risk
(i) Users initial passwords are communicated to them verbally.
Consequence
Controls
Passwords may be Passwords must be conveyed to the compromised and misused. users in a sealed envelope. Users should be forced to change their passwords on their first log on.
33

(ii) Users can change their passwords whenever they want.

Users should not be allowed to change their passwords before a specified number of days. For early change of password, written request must be submitted to the system administrator. Minimum password length should be defined, say up to 8 characters. Passwords must meet complexity requirements. Users, specifically senior management users should not be allowed to login from more than one terminal at a time. Users should be restricted to log in from their allocated terminals only.
(iii)
There is no minimum limit of characters in passwords. Users are allowed to log in from two terminals at a time.
This will allow users to continue their single password by resetting five different passwords and reverting back to the old one immediately. This in turn will increase the probability of password compromise. Users may keep blank, small or easy to guess passwords.
(iv)
(v)
Additional rights are allowed to users on verbal instructions of the CEO. Only CEO has the password to open the sensitive database in edit mode. After entering the database password, the necessary editing is carried out by the IT Manager. Domains Administrator password is shared between IT Manager and his Assistant Manager. IT department is under strength.
(vi)
(vii)
Attempts of unauthorized access to sensitive data remain undetected. Senior management users may share their passwords with their assistants/other users. Unauthorized access to Access to sensitive data in violation sensitive data may go of defined job description should not be undetected. allowed. Changes in access rights/job description should be documented. The database may not be CEO should seal the database password edited if the CEO forgets the and place it in a secure place like a bank password. locker. The password storage place should be known to senior management. Unauthorized use of privileges Database log should be maintained, by IT Manager may remain reviewed and signed off by a senior undetected. management member. Responsibility for Administrator password should not unauthorized use of privilege be shared under any circumstances. may not be fixed. Users involve in maintenance and support may be given higher privileges to fulfil their job requirements as and when needed. Principle of segregation of Increase the strength of IT duties may be violated. department. Define compensating controls where segregation of duties is not possible.
(viii)
(ix)
(49) Question Background: Summer 2010, Q # 9, Syllabus Topic: You have recently been appointed as Chief Information Security Officer of WIJCO, which is a large manufacturer of electronic equipments and accessories. The management has shared with you a report of their internal auditor according to which there are serious deficiencies in the information security system of the company. The internal auditor has recommended that the system needs significant improvement and that the company should attain certification of an international security standard. You agree with the internal auditor; however, on account of high costs involved, the management is reluctant to accept the internal auditors recommendation. Required: (a) State the benefits of compliance with an international information security standard. (05 M) (b) List down the steps that you would take for attaining an international security standard certification for your organization. (06 Marks) Suggested Answer:-
34
(a) The following are the potential benefits of Information Security Management System International Standard. (i) Assurance Management: can be assured of the security and reliability of the system, if a recognized framework or approach is followed. (ii) Competitive Advantage: Following an international standard will help to gain competitive advantage. (iii) Bench Marking: It can be used as a benchmark for current position and progress within the peer community. (iv) Awareness: Implementation of a standard results in greater awareness about information security practices within an organization. (v) Alignment: Implementation of standards tends to involve both business management and technical staff, therefore; greater IT and business alignment often results. (vi) Interoperability: Systems from diverse parties are more likely to fit together if they follow a common guideline. (b) I would take the following steps for getting WIJCO certified towards an international security standard: (i) Obtain understanding of security issues addressed in the international security standards. (ii) Develop a business case. (iii) Get management support. (iv) Define scope and boundaries. (v) Develop an implementation program. (vi) Develop policies, procedures, standards as required. (vii) Conduct risk assessment / gap analysis. (viii) Implement controls to fill the gaps. (ix) Conduct a pre-certification assessment and take corrective actions if any gaps still exist. (x) Invite certification body for certification audit. (50) Question Background: Winter 2009, Q # 1, Syllabus Topic: Mobile and wireless market is one of the fastest growing markets in the country. There are estimated to have more than 30 million mobile phone users in Pakistan. The fast growing use of mobile phone has induced the financial institutions to offer value added services via mobile. Required: Explain the limitations and risks associated with mobile banking services from the perspective of data and network security. (06 Marks) (i) Because the handset is more portable than a laptop or PC, it is also more easily lost. (ii) The limited keypad functionality of standard handsets may effectively limit the choice of PINs, and/or resulting in PINs which can be compromised. (iii) Encryption in mobile communication is not necessarily end-to-end, creating vulnerabilities at various points where data can be intercepted and read by third parties. (iv) Physical access to SIM card may reveal subscriber key. (v) Physical or logical access to Mobile Network Operator facilities by unauthorized person may give access to mobile banking user's transaction data. (vi) Mobile station may not guarantee its communication with right recipient and is vulnerable to attacks like active identity caching and passive identity caching. (vii)Mobile banking service may be suspended due to breakdown of telecommunication network. (51) Question Background: Winter 2009, Q # 2, Syllabus Topic: Chic Technologies (CT) is working on a highly sophisticated customised application for Mobin Industries (MI). The development work of the application and the system testing has been completed. User Acceptance Testing (UAT) is now being planned. Required: As IT Manager of MI, prepare a brief presentation for the guidance of various levels of users / executives, as regards the following: (a) Difference between System Testing and UAT. (03 Marks) (b) Steps that are generally involved in UAT process. (03 Marks) (c) The people and process related risks in the implementation phase. (07 Marks)
35

Suggested Answer:-
(a) System testing is conducted on a complete, integrated system to evaluate the system's compliance with its specified requirements. This testing is performed by a technical person, usually in test environment before implementing the system. User Acceptance Testing (UAT) is a process to obtain confirmation by the owner or client of the object under test, through trial or review, that the new system meets mutually agreed-upon requirements. (b) The steps taken for User Acceptance Testing typically involve the following: (i) User Acceptance Test (UAT) Planning (ii) Designing UA Test Cases (iii) Selecting a Team that would execute the (UAT) Test Cases (iv) Executing Test Cases (v) Documenting the Defects found during UAT (vi) Resolving the issues/Bug fixing (vii) Sign Off (c)PEOPLE-RELATED RISKS Lack of follow-up on the part of top management Limited stakeholder involvement and/or participation Weak commitment of project team Subject matter experts may be overscheduled Team members lack requisite knowledge and/or skills Weak project manager Stakeholder conflicts Users resistance to change Users feedback may be inadequate
PROCESS-RELATED RISKS Lack of documented requirements and/or success criteria Inadequate or misused methods Ineffective change control process (change management) Scope creep Ineffective schedule planning and/or management Poor Testing Communication breakdown among stakeholders Resources assigned to a higher priority project (52) Question Background: Winter 2009, Q # 3, Syllabus Topic: RCOM Consulting is a global leader in IT consulting services. RCOM has a team of highly trained professionals who support a large number of clients worldwide. In certain cases, their support staff has to contact the customers over telephone to provide immediate solutions. Quite often, these calls consume a lot of time. One of the directors of RCOM has therefore, suggested the use of VoIP solution to reduce costs. Required: Briefly explain the following: (a) What do you understand by VoIP technology? (02 Marks) (b) Some of the disadvantages (including security issues) related to the use of VoIP. (03 Marks) Suggested Answer:(a) Voice-over Internet protocol (VoIP), also known as Internet telephony, is a technology that enables data packet networks to transport real time voice traffic. VoIP makes it possible to have a voice conversation over the Internet or any dedicated IP network instead of dedicated voice transmission lines. Sounds are digitized into IP packets and transferred through the network layer before being decoded back into the original voice. (b) Disadvantages related to the use of VoIP (i) It is more prone to virus attacks. (ii) Possibility of hacking and disclosure of sensitive information may increase. (iii) Denial of service on account of flooding of the data network. (iv) Extra cost of infra-structure. (53) Question Background: Winter 2009, Q # 4, Syllabus Topic: The management of Gemini Shipping Lines Limited (GSLL) is not satisfied with the performance of its IT department. It also believes that the internal audit department of the company is not monitoring the IT related controls. Required: (a) Identify the key indicators which can be used to measure the performance of IT department and IT processes. (List eight key indicators) (04 Marks)
36
(b) Identify six critical success factors that may be lacking and on account of which the performance of the internal audit department in monitoring IT related controls, may have suffered. (06 Marks) Suggested Answer:(a) Key performance indicators to measure the performance of IT department and IT processes are as follows: (i) Cost efficiency of IT processes (costs versus deliverables). (ii) Frequency and effectiveness of IT action plans for process improvement initiatives. (iii) Levels of utilization of IT infrastructure. (iv) Availability of relevant knowledge and information. (v) System downtime. (vi) Throughput and response times. (vii) Number of errors and rework. (viii) Number of non-compliance reporting. (ix) Development and processing time. (x) Satisfaction of IT users and stakeholders (surveys and number of complaints). (b) Following critical success factors may be lacking: (i) Lack of top management commitment to implement controls and frequent over ride of controls. (ii) Management is unable to clearly define what components of the processes need to be controlled. / A properly defined IT control process framework may not be in place. (iii) The personnel of internal audit may be lacking in knowledge and understanding of IT related controls. (iv) Roles and responsibilities of the internal audit department may not be clearly defined. (v) Lack of coordination between internal audit and the IT department. (vi) A clear process may not be in place for timely reporting of internal control deficiencies. (vii) Lack of relevant resources. (54) Question Background: Winter 2009, Q # 5, Syllabus Topic: Universal Medical Store (UMS) has a countrywide chain of stores. The management is planning to upgrade their website and launch a medical services portal where pre-registration would be allowed to their customers and they would be able to ask questions from renowned medical specialists. The customers data recorded at the time of registration would remain in the UMS database unless the customer decides to relinquish the registration. However, their questions and the doctors replies would be removed from UMS server after twelve months. Required: (a) List the key steps which UMS should perform to ensure that it is complying with all the relevant privacy laws. (04 Marks) (b) Briefly describe the basic principles which should form part of UMSs privacy policy, in the above situation. (08 Marks) Suggested Answer:(a) UMS should take the following steps to ensure that it is complying with relevant privacy laws: (i) Identify the concerned laws and regulations governing the issue of privacy. (ii) Study and understand the legal requirements of each such legislation. (iii) Critically review the privacy policy and related problems to ascertain that it takes into consideration the requirement of applicable privacy laws and regulations. (iv) Verify that the correct security measures are adopted and are being implemented. (b) Following principles should be considered while collecting personal information: Openness. There should be a general practice of openness about policies related to personal information and those should be adequately disclosed to all stakeholders. Collection limitation. The collection of personal information should be obtained by lawful and fair means and with the knowledge and consent of the subject. Purpose specification. The purpose for collecting personal information should be disclosed at the time of collection. Further uses should be limited to those purposes.
37
Use limitation. Personal information should not be disclosed for secondary purposes without the consent of the subject or by authority of law. Individual participation. Wherever possible, personal information should be collected directly from the individual. Regular updating. Individuals should be allowed to inspect and correct their personal information. Security safeguards. Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Limited Access. Access to personal information should be limited to only those within the organization with a specific need to see it. Accountability. Someone within the organization, such as the Chief Privacy Officer or an information manager, should be held accountable for complying with its privacy policy. Independent Privacy audits to monitor organizational compliance should be conducted on a regular basis, as should employee training programs. (55) Question Background: Winter 2009, Q # 6, Syllabus Topic: TN Limited (TNL) had so far been using simple back-up procedures to safeguard its data. It has now developed a comprehensive Business Continuity Plan (BCP) under which arrangements have been made with a third party for using their processing facilities. Under the proposed agreement, the third party would provide the necessary hardware on which TNLs software will remain installed, for its use, in case of a disaster. Required: (a) Which issues must be covered in the above agreement, with the third party? (06 Marks) (b) Briefly describe the following three types of tests which the TNL plans to carry out, soon after the agreement is finalized: (i) Paper Walkthrough Test (ii) Preparedness Test (iii) Full Operational Test (06 Marks) Suggested Answer:(a)Following issues must be covered clearly in the agreement: (i) How soon the site will be made available subsequent to a disaster? (ii) The period during which the site can be used. (iii) The conditions under which the site can be used. (iv) The facilities and service the site provider agrees to make available. (v) What controls will be in place and working at the alternative facility. (vi) The priority to be given to concurrent users of the site in the event of a common disaster. (vii) Frequency with which the system could be tested / audited for compatibility. (viii) Payment terms should be clearly explained. (ix) Inclusion of penalty clause to ensure fulfilment of commitment. (x) Appropriate provision as regards the termination of the contract. (b) Paper Walk-through Test: In this type of test major players in the plans execution reason out what might happen in a particular type of service disruption. They may walk through the entire plan or just a portion. Preparedness Test: These tests are usually performed in respect of smaller components of the IT System i.e. in respect of one or two areas of operation only. These are usually performed at the entitys own processing facility and prepare it for a full operational test at a later stage. Full Operational Test: This is the full scale testing in which users pass through the simulation of system crash as it happens in real. All IT operations at the original site are shut down and the processing facilities are recovered at the backup/alternative recovery site. This test requires all players of the team to participate actively and play their roles as described in the BCP. (56) Question Background: Winter 2009, Q # 7, Syllabus Topic: King Limited (KL) has decided to engage Queen Limited (QL) for maintenance of its IT hardware, including printers, scanners, monitors, and network related devices and cabling. Important clauses of the draft Service Level agreement between them, are as follows:
38
(i) The agreement will commence on December 13, 2009 and will be terminated automatically if not formally extended, on December 12, 2010. (ii) KL will ensure that the equipment will be in proper mechanical and electrical condition on the commencement date. Any work involved in putting the equipment into such condition will be charged separately. (iii) Fifty visits per annum will be made by qualified technical personnel of QL. (iv) Emergency visits will be provided as and when required. However, emergency visits made after office hours or on holidays will be charged separately, at the rates prevailing at that time. (v) Routine maintenance services will be carried out during normal business hours, at regular intervals. (vi) All faulty parts and consumables will be replaced at extra cost after the approval by KL. (vii) This agreement does not cover any work necessitated by neglect, misuse, and accident or voltage fluctuation. (viii) QL reserves the right to discontinue services under this agreement whenever it finds that sub-standard or non-genuine supplies are being used thus hampering the proper fulfilment of their responsibilities. (ix) Payment will be made in advance, on or before the commencement date. Required: Review the above clauses of the draft agreement and identify the short comings thereof. (07 M) Suggested Answer:Following weaknesses are observed in the SLA of KL with QL: (i) Performance criteria are not specifically defined. / Service level is not defined. (ii) Exit root for QL is defined but for KL it is not defined. (iii) It is not clear that if QL terminated the contract before end date what percentage of payment will be refunded to KL. (iv) Full payment has been made in advance; in case of poor performance KL can neither easily recover the payment nor be able to deduct any penalty from QLs charges. (v) Rates for after office hours/holidays emergency visits left unresolved. (vi) Absence of appropriate penalty clause against non-fulfilment of commitment. (vii) Interval between routine maintenance of equipment is not defined. (viii) Number of visits expectation is unrealistic. It is a question of debate as to what the technical persons of QL will do during their 4-5 visits per month. (ix) Neglect and misuse are open ended terms and should be clearly defined / described. (x) Maintenance should be performed during off peak hours or after office hours to avoid disruption in normal office activities. (57) Question Background: Winter 2009, Q # 8, Syllabus Topic: The management of Apollo Ltd is concerned with the increase in IT Governance issues being faced by the company. You have discussed the issue with the head of the IT department and he is of the view that he is not receiving appropriate support from other departments. Required: Briefly describe the following: (a) Domains covered by IT Governance. (05 Marks) (b) The extent of responsibilities of the head of IT department in respect of the above domains and what type of co-operation should be received by him, from the management and other departments of the company. (08 Marks) Suggested Answer:(a) IT Governance covers following domains: (i) Strategic Alignment, focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations. (ii) Value Delivery, is about executing the value proposition throughout the delivery cycle, ensuring that IT is delivering the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. (iii) Risk Management, requires awareness by senior corporate officers, a clear understanding of the enterprises appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities into the organization.
39
(iv) Resource Management, is about the optional investment in, and the proper management of, critical IT resources i.e. applications, information infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure. (v) Performance Measurement, tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. (b) Responsibilities of IT Head Assist the IT strategy Committee in formulating the overall IT Strategy. Ensuring timely completion of the Value project and fulfilling the users Delivery need with utmost cost effectiveness. Playing a key role in the Risk Management formulation of a Business Continuity Plan. Clearly communicating the IT related risks. Identifying weaknesses promptly. Updating the knowledge of IT Resource Management Department. Proper capacity planning. Preventive maintenance. Performance Defining key performance measurement indicators for IT functions and personnel. Strategic Alignment Co-operation from Management and Other Departments Give due weightage to IT heads recommendations. Management taking due interest and prompt feedback by the users. Managements active participation in ensuring that non-compliance to controls is strongly discouraged.
Comply with the suggested procedures and controls. Provide resources for training of staff. Giving due weightage to IT heads recommendations when deciding upon the issue of compensation packages of IT related personnel.
(58) Question Background: Winter 2009, Q # 9, Syllabus Topic: Challenger Limited is a leading FMCG company. It is in the process of reviewing its information technology risk management program. Required: In the above context, apprise the management as regards the following: (a) Key Success Factors for an effective information technology risk management program. (04 M) (b) Responsibilities of the information technology risk management function. (05 Marks) Suggested Answer:(a) Key success factors for an effective Information Technology Risk Management Program are as follows: (i) Leadership direction and management support. (ii) Management accountability and authority to effect change. (iii) Close alignment with the corporate culture. (iv) Consistent and standardized risk management processes supported by tools and technology. (v) Measurable results. (vi) Periodic review and updation of Information Technology Risk Management Program. (b) The responsibilities of the information technology risk management function include: (i) Establishing the risk framework for information technology management. (ii) Educating all concerned persons about information technology policies, guidelines and regulatory requirements. (iii) Information technology risk reporting. (iv) Appropriate use of monitoring tools and technologies. (v) Interfacing with regulators/auditors.
40
(vi) Independent review of risk governance and management processes. (59) Question Background: Winter 2009, Q # 10, Syllabus Topic: Smooth Brokerage House (SBH) has a large setup of computers connected through a well configured network. The newly appointed Network Administrator of SBH has strongly suggested deploying firewall on SBHs network. However, the IT Manager is of the view that firewalls just add expenses and do not add any value in protecting the network. He also gave some examples where networks were crashed by external intruders even in the presence of firewall. Required: (a) Explain why in some setups, firewalls are not as successful, as in others. (04 Marks) (b) Briefly explain the following types of firewall configurations: (i) Bastion host (ii) Screened host (iii) Screened subnet (09 Marks) Suggested Answer:(a) The firewalls may not succeed in all setups due to one or more of the following reasons: (i) The firewall is poorly configured or mis-configured. (ii) If proper testing processes/procedures are not carried out to monitor firewall security. (iii) The organization relies too much on perimeter firewall security. (iv) All traffic is not required to pass through the firewall. (b) Bastion Host Configuration: In this configuration all internal and external communication must pass through the bastion host. The bastion host is exposed to the external network; therefore it must be locked down, removing any unnecessary applications or services. It can use filtering, proxy or a combination. It is not a specific type of hardware, software or device. Screened Host Configuration: This configuration generally consists of a screening router (border router) configured with access control lists. The router employees packet filtering to screen packets, which are then typically passed to the bastion host and then to the internal network. The screened host (the bastion host in this example) is the only device that receives traffic from the border router. This configuration provides an additional layer of protection for the second host. Screened Subnet Configuration: The bastion host is sandwiched between two routers (the exterior router and the interior router). The exterior router provides packet filtering and passes the traffic to the bastion. After the traffic is processed, the bastion passes the traffic to the interior router for additional filtering. The screened subnet provides a buffer between the internal and external networks. This configuration is used when an external population needs access to services that can be allowed through the exterior router, but the interior router will not allow those requests to the internal network. (60) Question Background: Summer 2009, Q # 1, Syllabus Topic: Prestige Corporation intends to evaluate its information security measures. They have been advised by their Information Security consultant to start with Penetration Test of their network as all the financial transactions are routed through the network. The management is not aware of the requirements of a penetration test, its benefits and the risks faced. Required: Explain the following: (a) Penetration testing and its purpose. (b) Any four benefits of penetration testing. (c) Any four risks associated with network penetration testing.
Suggested Answer:(a) Penetration Testing It is a security assessment technique that uses threat based attack scenarios to increase awareness of an organizations vulnerabilities and risks. The purpose of penetration testing is: Assessment of real threats to business systems; Relating the impact of technical vulnerabilities to business risks. (b) Benefits of Penetration Testing 41
(02 Marks) (04 Marks) (04 Marks)
(i) Goes beyond surface vulnerabilities and demonstrates how these vulnerabilities can be exploited iteratively to gain greater access. (ii) Allows for testing the susceptibility of the human element by the use of social engineering. (iii) Enables testing in real environment. (iv) Demonstrates that vulnerabilities are not just theoretical. (c) Risks of Network Penetration Testing (i) It may slow the organizations network response time. (ii) The possibility exists that systems may be damaged. (iii) Sensitive information may be disclosed. (iv) Some unknown backdoors may be created. (v) Future attackers may be created because; it gives an idea to employees How to hack?
(61) Question Background: Summer 2009, Q # 2, Syllabus Topic: Patriot Industries Limited has recently completed its system transition. The company has discarded its old system developed in C language and implemented a new ERP system to integrate the different business processes to achieve competitive advantage. A post-implementation review is underway, which has highlighted that a number of changes were made after Go-Live on the production server. Required: (a) Describe the consequences which the company may face in absence of proper change management controls. (04 Marks) (b) Identify eight policies which the company should adopt to ensure that proper change management controls are implemented. (06 Marks) Suggested Answer:(a) The company may face the following consequences in the absence of proper change management controls: (i) Increased risk and security vulnerabilities. (ii) Assessment of impact on other associated areas/programs may be ignored. (iii) Lack of accountability for unauthorized changes. (iv) Undocumented changes resulting in poor documentation. (v) Business interruptions may occur due to uncontrolled changes. (vi) Poor audit findings. (vii) Loss of confidence on system security and data integrity. (viii) Potential fines and other disciplinary measures due to incorrect reporting or submissions to government authorities. (b) Following policies may be implemented to ensure proper change management controls: (i) All production devices must be monitored for changes. (ii) All changes should be recorded, explained, and documented. (iii) Change implementers should not authorize their own changes. (iv) All changes must be tested in development environment before being implemented live. (v) All users who may be affected should be notified of the change. (vi) View point of all related users should be obtained to assess the impact of change on other associated areas/programs. (vii) Change successes and failures should be tracked. (viii) The authority levels should be well defined. (ix) No changes to production assets should be allowed outside scheduled maintenance windows. (x) All unauthorized changes must be investigated. (xi) Audit trails should be tracked regularly. (xii) Exception reports should be designed and reviewed regularly. (62) Question Background: Summer 2009, Q # 3, Syllabus Topic: Buqrat Digital Business Limited (BDBL) has recently implemented an integrated system to enhance the efficiency of its business operations. To provide timely technical assistance to its 150 employees connected to the system, the management of BDBL has decided to setup a Help Desk.
42
Required: As their IT Manager, you are required to make a presentation to the senior executives explaining the following: (a) Typical functions that can be supported through a Help Desk. (04 Marks) (b) Critical requirements for effective and efficient functioning of the Help Desk function.(05 Marks) (c) Ways to gather information for evaluating performance of the Help Desk function. (03 Marks) Suggested Answer:(a) Following functions are usually supported through help desk: (i) Installation of hardware and software upgrades. (ii) Assisting end users in resolving issues related to hardware and software. (iii) Informing end users about problems with hardware and software that may be foreseen in view of any specific situation. (iv) Monitoring technological developments and informing end users of developments that might be pertinent to them. (b) The critical requirements for efficient and effective working of the help desk function are as follows: (i) Support staff must be knowledgeable about the diverse range of systems used throughout the organization. (ii) They must have a high level of interpersonal skills in order to interact effectively with users. (iii) They must show empathy, for example, when users encounter problems. (iv) The system should maintain a log of all difficulties reported and how they were resolved. (v) The procedures for assignment of tasks should be well defined. (vi) Time schedule of staff duties should be well defined. (vii) If a response is not provided within the designated time period, the system should alert the manager of the help desk area. (viii) Managements commitment to support Help Desk function. (c) The information required to evaluate the Help Desk function can be gathered through the following: (i) Interviews: End users can be interviewed to determine their level of satisfaction with the service provided by the help desk. (ii) Observations: Help Desk personnel may be observed to see how they respond to user queries. (iii) Review of documentation: Logs maintained by the help desk reporting system may be reviewed to determine whether accurate, complete and timely responses are being provided. (63) Question Background: Summer 2009, Q # 4, Syllabus Topic: Wonder Industries (WI) is a manufacturer of cell phone accessories. Different departments are responsible for various activities such as sales and services, planning, manufacturing, inventory management and other critical tasks. You have recently joined WI and observed that these departments work independent of each other. You feel that an integrated system of Supply Chain Management application can improve efficiency of these departments. Required: Write a report to the CEO, on the following: (a) A brief description of how an integrated Supply Chain Management application can help to: Improve relationship with customers and suppliers; Reduce costs of operations; and Create greater co-ordination within the departments. (06 Marks) (b) List eight important changes that the company may have to introduce, in order to implement a Supply Chain Management System. (04 Marks) Suggested Answer:(a) (i) An integrated Supply Chain Management (SCM) application helps in improving relationship with customers and suppliers by: Quick order processing and delivery of goods. Ensuring availability of goods. Correct product and price information. Timely payments.
43
(ii) The SCM application helps in reducing costs of operation by: Reducing manpower requirements through greater automation. Lowering the levels of inventory. (iii) The SCM application helps in greater co-ordination within the departments by providing single source of information which results in: Timely response among departments; and Lesser conflicts in views. (b) The company is expected to undertake the following changes in order to implement a Supply Chain Management System: (i) Implementation of international e-business standards. (ii) Standardization of taxonomies, terms and semantics, both general as well as industry specific. (iii) Integrating the system with suppliers and customers. (iv) Developing the ability to deal with different languages, laws and customs. (v) Ensuring 24 X 7 availability of systems. (vi) Enhancing logical and physical controls on data. (vii) Centralized storage of information. (viii) Hardware and software upgrades. (ix) Training of existing staff. (64) Question Background: Summer 2009, Q # 5, Syllabus Topic: You have supervised the Information System audit of Future Face Limited (FFL). Your team has made a number of findings during their review. Required: Identify the risks which you would like to highlight in your audit report as a consequence of each of the following findings of your team: (a) FFL does not have a formal Information Technology Strategy. (02 Marks) (b) The security module in the financial application is not configured for: (i) Periodic password changes. (ii) Account lockout policy.(iii) Logging of user access. (04 Marks) (c) FFL has formal backup and recovery procedures but has not yet documented a formal Business Continuity and Disaster Recovery Plan. (03 Marks) (d) A server based antivirus solution is being used but its maintenance period has expired and the vendor has ceased to support that version. (03 Marks) (e) Firewall is configured at default (vendor) settings. (02 Marks) Suggested Answer:The risks associated with the given situation are listed hereunder: (a) FFL did not have a formal Information Technology Strategy. (i) The IT objectives may not be aligned with the business objectives. (ii) Future IT investments in hardware and software may not be those that best meet the entitys medium to long term needs. (iii) There may be no/limited succession planning. (b) The security module in the financial application was not configured for: (i) Periodic password changes. High probability of compromising users passwords. (ii) Account lockout policy. Unauthorized log on attempts may not be identified. The chance of password compromise increases. (iii) Logging of user access. Attempts of unauthorized access to applications and data remain undetected. Failure to fix responsibilities for errors (intentional and unintentional). (c) FFL has formal backup and recovery procedures but has not yet documented a formal Business Continuity and Disaster Recovery Plan. (i) Backup and recovery procedures may not be enough to avoid extended disruptions of business in the event of a disaster. (ii) Critical business processes and critical recovery time may not be known.
44
(iii) The management may not be able to determine the steps required to recover from a disaster or contingency. (iv) Formal roles and responsibilities of disaster recovery teams may remain undefined. (d) A server based antivirus solution is being used but its maintenance period has expired and vendor has ceased to support that version. (i) Failure to detect new types of viruses. (ii) Absence of technical support. (e) Firewall is configured at default (vendor) settings and the network administrator is not trained to configure the firewall. (i) The firewall may allow unauthorized access. (ii) It may restrict access to authorized users also. (65) Question Background: Summer 2009, Q # 6, Syllabus Topic: Right Bank Limited is a leading bank in the country. A large proportion of its business activities involve ebanking. As a member of the IS audit team, you have been assigned to assess effectiveness of the banks policies as regards audit trails. Required: (a) List six key steps involved in carrying out the above assessment. (06 Marks) (b) Identify any three non-financial e-banking transactions, for which maintaining an audit trail is important. (03 Marks) Suggested Answer:(a) Key steps involved in carrying out the assessment of the banks policies as regards audit trails include: (i) Review and assess whether the companys policy regarding maintenance of audit trail is comprehensive and well defined. (ii) Review the security access control list and assess whether authority levels for managing audit trails are appropriate and well defined. (iii) Obtain and review the risk assessment document of audit trails. (iv) Test an appropriate sample of transactions to ensure availability of audit trails according to the defined policies and controls. (v) Test an appropriate sample of transactions to check whether audit trails of critical transactions are periodically reviewed and assessed. (vi) Test an appropriate sample of transactions to check whether problems and issues identified by the reviewer of audit trails are adequately addressed. (b) The maintenance of audit trail may be important for the following non-financial e-banking transactions: (i) The opening, modification or closing of a customer's account. (ii) Any granting, modification or revocations of systems access rights or privileges. (iii) Authorization of changes in credit limits etc. (iv) Change in password. (v) Change in personal information (including secret question). (66) Question Background: Summer 2009, Q # 7, Syllabus Topic: As an IT training consultant you have recently had preliminary meetings with a client. The management has serious concerns regarding security of classified information. On interviewing the users and the management, you have observed that none of them are aware of the best practices for handling classified information. Required: Advise the management in respect of: (a) Best practices for handling classified information. (07 Marks) (b) Benefits of maintaining classification of information assets. (03 Marks) Suggested Answer:(a) Best practices for handling Classified Information include: (i) Classification of information must be communicated to all users. (ii) As far as possible, classified information should be kept in encrypted form. (iii) Access to classified information should be given on need to have basis.
45
(iv) Classified material shall not be taken home/outside the office premises. (v) Classified working papers such as notes and rough drafts should be dated and inventoried. (vi) Classified information should not be disposed of in the waste basket. It must be placed in a designated container for destruction by shredding or burning etc. (vii) When information is transmitted from one official to another, the receipt should be recorded and acknowledged. (viii) Classified information should be kept under an approved security arrangement. (ix) Activities of users should be logged while they are accessing classified information and the logs should be reviewed periodically. (x) At the end-of-day a security check should be conducted to ensure that all classified material is properly secured. (b) The benefits of maintaining the classification of information assets are as follows: (i) It helps in identifying the appropriate level of access controls to each class of information asset. (ii) It reduces the risk and cost of under or over protecting information resources. (iii) Formulation of a consistent and homogenous policy for the security of information assets, throughout the organization. (iv) Assists in formulation and implementation of appropriate DRP and BCP policies. (67) Question Background: Summer 2009, Q # 8, Syllabus Topic: Hype Telecommunications (HT) is a pioneer in Internet telephony. It has a Business Continuity Plan (BCP) in place but as a further precautionary measure it has required your advice to protect against any risk of breakdown. Required: You are required to identify: (a) Importance of updating the Business Continuity Plan and the circumstances which create a need for the plan to be updated. (04 Marks) (b) The officials who can be assigned the roles of data owners and data custodians and briefly explain their respective responsibilities relating to security of data. (04 Marks) (c) Responsibilities of the person who has been assigned the task of maintenance of BCP. (05 Marks) Suggested Answer:(a) Importance of an updated Business Continuity Plan (i) A BCP which is not updated may fail to safeguard the company from disruption, in case of a disaster. (ii) There may be missing links in the recovery procedures and consequently the procedures may fail or the recovery may be delayed significantly. Circumstances which create a need for BCP updation The following factors can trigger the need for updation of a BCP: (i) Changes in business strategy may alter the significance of various applications. (ii) A change in the needs of the organization. (iii) Acquisition/development of new resources/applications. (iv) Changes in software or hardware environment may make current provisions obsolete or inappropriate or inadequate. (v) Change in roles and/or responsibilities of DRP/BCP team members. / Change in arrangement with the vendors. (vi) Change in regulatory requirements. (vii) Material weaknesses found during testing of BCP. (b) Data Owners are generally the top two layers of management such as directors and managers. They are responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring access rules are updated whenever there is a change of personnel and regularly reviewing access rules relating to the data for which they are responsible. Data Custodians are responsible for storing and safeguarding the data and include IS personnel, such as subsystem analysts and computer operators etc. (c) Responsibilities of the person who is assigned the task of maintenance of BCP are as follows: (i) Developing a schedule for periodic review, testing and maintenance of the plan. (ii) Advising all personnel of their roles and the deadline for receiving revisions and comments.
46
(iii) Calling for unscheduled revisions whenever significant changes occur. (iv) Arranging and coordinating scheduled and unscheduled tests of the business continuity plan. (v) Training recovery personnel in emergency and recovery procedures. (vi) Maintaining records of business continuity plan maintenance activities, i.e. testing, training and reviews. (vii) Evaluating unsuccessful test results and incorporating necessary changes into the BCP. (68) Question Background: Summer 2009, Q # 9, Syllabus Topic: With the emergence of business conglomerates and globalization the conventional techniques of manual auditing are no longer an option. The quantum, location and complexity of data stored in computerized systems warrants auditing through computer based tools and techniques to ensure efficiency and provide desired level of assurance to the stakeholders. Required: (a) Describe Generalized Audit Software and its major functions. (08 Marks) (b) List any four limitations of Generalized Audit Software. (04 Marks) Suggested Answer:(a) Generalized Audit Software Generalized audit software is a computer assisted audit technique (CAAT) which is used to identify and select data and transactions of interest to the auditor for further analysis. These may be used to verify the adequacy of file integrity controls such as data editing and validation routines, non-continuous monitoring of transactions and for sampling of transactions. Major functions performed by GAS are as follows: (i) File access i.e. reading different types of file structures, record formats and data formats. (ii) File reorganization i.e. storage and merging of files. (iii) Selection i.e. extracting data that satisfies certain conditional tests. (iv) Arithmetic operations including addition, multiplication, subtraction, division etc. (v) Stratification and frequency analysis i.e. categorization and summarization of data in different ways. (vi) File creation and updating (vii) Reporting i.e. formatting output in the required manner. (b) Limitations of GAS (i) Least likely to be used for inquiry of on-line data files. (ii) Cannot perform a physical count of inventory or cash. (iii) Cannot perform continuous monitoring and analysis of transactions. (iv) Cannot be customized easily for specific situations. (69) Question Background: Winter 2008, Q # 1, Syllabus Topic: Tehqeeq (Private) Limited (TPL) provides research and development services to varied businesses. TPL makes intensive use of Information Technology (IT) to support its activities. Two high configuration machines are dedicated for important research activities. Besides, several other machines are installed in other departments of TPL. Mr. Ghalib has recently joined TPL as their IT Head. In due course, he has realized that there is no formal planning of the companys information technology needs. Although the Management understands the importance of IT function and need of upgrading IT resources to meet its needs, it has not yet prepared a formal documented IT strategy. High costs associated with the preparation and maintenance of a documented IT strategy has been one of the reasons for the managements reluctance in this regard. Required: Prepare a note addressed to the BOD explaining the following: (a) Operational and strategic IT plans and their typical contents (08 Marks) (b) Advantages of developing an IT strategic plan. (04 Marks) (c) Factors to be considered while developing the IT strategy. (04 Marks) Suggested Answer:(a) Operational Plan It is the short-run plan covering the next one to three years of operations. The contents of an operational plan typically includes the following:
47
(i) Initiatives to be undertaken Systems to be developed Hardware/software platform changes Personnel resources acquisition and development Financial resources allocation. (ii) Implementation schedule Proposed start and finish dates for each major project Milestones Project control procedures to be adopted. (iii) Format of the progress report Strategic Plan It is the long-run plan covering the next three to five years of operations. The contents of a strategic plan typically includes the following: (i) Strategic directions Vision statement for information technology. Overall strategies for intra-organizational and inter-organizational systems. (ii) Assessment of current strategy and future requirements Existing information services provided. Assessment of current hardware/software platform and future requirements. Assessment of existing personnel resources and future requirements. Assessment of current technology issues. Assessment of current financial resources and future requirements. SWOT (strengths, weaknesses, opportunities and threats) analysis. Approach to monitoring the implementation of the strategy. (b) Advantages of developing an IT Strategic Plan (i) Effective management of expensive and critical assets of the organization. (ii) Alignment of Information Systems with the business objectives. (iii) Well-planned flow of information and processes. (iv) Efficient and effective allocation of Information System resources. (v) Reduction in time and cost of the information systems life cycle. (c) Following factors should be considered while developing the IT strategy: (i) Vision, mission and business objectives of the company. (ii) The strategically important units. (iii) The key business areas that could benefit most from an investment in information technology. (iv) Cost of the systems i.e. software, hardware, management commitment and time, education and training, conversion, documentation, operational manning, and maintenance. (v) Implications of the proposed strategy on the existing work force. (vi) What should be the criteria for performance measurement of IT function? (70) Question Background: Winter 2008, Q # 2, Syllabus Topic: After a recent security breach of information systems in PRB Enterprises, an emergency meeting was called by Board of Directors of the company in which members of executive management, steering committee and chief information security officer also participated. Unfortunately, instead of finding the root cause of security breach and determining future course of action for managing various risks to which the organization may be exposed to, the meeting was marred by finger-pointing. Required: (a) List major steps for a security incident handling and response mechanism in an organization. (07 Marks) (b) Identify at least two important responsibilities related to Risk Management, for each of the following: * Board of Directors, * Steering Committee, * Executive Management, * Chief Information Security Officer (06 Marks)
48
Suggested Answer:(a) Major steps for a security incident handling and response mechanism in an organization are: Planning and preparation Preparing a plan and strategy for possible security incidents that the organizations IT assets may face. Prevention Devising controls and processes to prevent security incidents. Detection Devising mechanism for detection of security incidents. Initiation/Reporting Devising process / mechanism by which a security incident could be reported. Evaluation Devising a mechanism for evaluating the reported security incident (its nature, criticality, possible consequences, etc.). Containment Devising a mechanism to contain the negative effects of security incidents. Recovery Devising the process of going back to normal operations. Post-incident review Devising the mechanism to assess things like why it happened? What should be done to avoid that? Was our response correct? Lessons Learned Developing a mechanism of documenting the overall incident for reference at a later stage. (b) Identification of two major responsibilities related to risk management Board of Directors Establishing the policy of risk management in all activities. Ensuring regulatory compliance. Steering Committee Identifying emerging risks. Identify compliance issues. Executive Management Ensuring that all roles and responsibilities of the organization include risk management. Promoting business unit security policies. Chief Information Security Officer Implementing the risk management policies. Advising concerned personnel on risk management issues. / Users training. (71) Question Background: Winter 2008, Q # 3, Syllabus Topic: Talib Dairy Limited (TDL) produces various milk products. Its dairy farm is situated in the northern part of the country and it has a countrywide chain of sales and distribution outlets. In order to meet the growing needs of their products and timely availability at all places, the management is considering implementation of a web based solution for their sales and inventory management. Initial study in this regard shows that the solution will involve high up-front costs and a time span of around eighteen months for complete implementation of the solution. However, their consultant has suggested that TDL should make arrangements with a reputable Application Service Provider (ASP) instead of going for their own software. Required: The management does not have clear understanding the role of ASPs and it has requested the consultant to explain the following: (a) Why the appointment of an ASP is a better option for TDL? (06 Marks) (b) The important factors which TDL needs to consider while negotiating arrangements with an ASP. (08 Marks) (c) Drawbacks of using an ASP. (03 Marks) Suggested Answer:(a) The option to appoint an ASP may prove to be more feasible for TDL on account of the following: (i) ASP may prove economical, since software costs for the application are spread over a number of clients. (ii) ASPs software is developed by experts who have considerably more application development experience than in house staff. (iii) There is a strong possibility that system testing / implementation time will be reduced considerably since most of the ASPs software programs are tested and running at other clients locations.
49
(iv) Systems will be kept up to date. (v) A certain level of service can be ensured through Service Level Agreement. (vi) Immediate problem resolution and better technical support. (vii) ASP may keep TDL updated on latest technology and available products. (viii) Internal IT costs shall be reduced to a predictable monthly fee. (ix) IT staff and tools may be redeployed to focus on core issues. (b) TDL should pay special attention to the following factors while finalizing arrangements with an ASP: (i) The cost and benefit analysis should be carefully planned. (ii) Consider the viability of the ASP i.e. its financial position, experience, customers response. (iii) How will the sales and inventory system designed by the ASP, integrated with other systems? (iv) How easy/costly would it be, to revise the software, whenever required? (v) How the security of data be ensured? (vi) Ensure the inclusion of an appropriate clause in the SLA relating to maintenance of confidentially. (vii) Who will own the data which will be generated during the operation of the software? (viii) The degree of assurance provided by the ASP as regards the uninterrupted availability of services. (ix) What back-up support will the ASP provide in case of failure of the application? (x) What other supports (training, troubleshooting, and consulting) will the ASP provide? (xi) The impact of a situation in which the ASP may intentionally hold its services. (xii) Mechanism to resolve mutual disputes. (xiii) What compensation will be provided in case TDL suffers loss on account of malfunctioning of the software? (xiv) Terms and conditions related to termination of agreement. (xv) Ensure the inclusion of an appropriate clause for having rights to audit the data and the software. (xvi) If the ASP goes out of business or is unable to provide services to TDL during the contract period, TDL should have right to access the source code. (xvii) Get the SLA scrutinized by a legal consultant. (c) Drawbacks of ASPs include: (i) ASP may not provide a customized solution for such a small project and TDL might be required to accept the application as provided. (ii) Increased reliance on an ASP especially in case of critical business functions like sales and inventory management may not be advisable. (iii) Changes in the ASP market may result in changes in the type or level of service available to clients. (iv) TDL may face problems when it may want to integrate its non-ASP based systems with the systems being run by the ASP. (72) Question Background: Winter 2008, Q # 4, Syllabus Topic: Elite Textiles Limited (ETL) was established in 1995 as a spinning unit. Over the years, it has diversified into other related businesses and has established various units across the country. Meanwhile, the company has developed software for various areas of its operations. However, it is felt that there is lot of duplication of work and complex reports have to be prepared by using spreadsheets. The management has now decided to switch to an ERP System. To ensure the success of the project, the management has formed an ERP Steering Committee, headed by the CFO. Required: You are required to explain the following to the CFO: (a) The role and responsibilities of ERP Steering Committee. (05 Marks) (b) Three common ways of implementing ERP solution and the method which is most appropriate for ETL. (05 Marks) (c) The steps that are generally involved in implementation of an ERP solution. (06 Marks) Suggested Answer:(a) Roles and responsibilities of ERP Steering Committee Following are the roles and responsibilities of ERP Steering Committee: (i) Set Vision of the project (ii) Set Project Goals
50
(iii) Defining Priorities of the project (iv) Defining objectives (measurable and intangible) (v) Defining scope and ensuring that the scope is aligned with the requirements of stakeholders (vi) Planning of financial resources (vii) Allocation of resources (viii) Approving budgets (ix) Approving changes in the scope of work (x) Change Management (xi) Approving contracts and change orders (xii) Post implementation review. (xiii) Communicate support for the project throughout the organization (xiv) Reviewing progress (xv) Resolving escalated issues (b) Three commonly used ways of implementing an ERP are explained as follows: The Big Bang In this approach companies cast off all their legacy systems and install a single ERP system across the entire company at once. Franchising Strategy In this strategy, independent ERP systems are installed in different units, while linking common processes, such as bookkeeping, across the enterprise. Slam dunk This strategy is for small companies expecting to grow into ERP. In this methodology, ERP system dictates the process design, where the focus is on just a few key processes, such as those contained in an ERP systems financial module. Franchising strategy seems appropriate for ETL because it is suitable for large or diversified companies like ETL. (c) Following steps are generally involved in implementation of an ERP solution: (i) Project planning (ii) Business and operational analysis including Gap analysis. (iii) Business requirement mapping (iv) Business process re-engineering (v) Installation and configuration (vi) Project team training (vii) Module configuration (viii) System interfaces (ix) Data conversion (x) Custom documentation (xi) End user training (xii) Acceptance testing (xiii) Post implementation/ Audit support (73) Question Background: Winter 2008, Q # 5, Syllabus Topic: During a recent meeting, the management of Mahir Chemicals Limited (MCL) had noted with serious concern that the knowledge base available with the company is not being used efficiently. Quite frequently, valuable resources are wasted on generating information which is already available with other departments/location. To cope with the situation, a senior executive had suggested creation and maintenance of Knowledge Management System (KMS). Required: As the Head of IT, the Management has asked you to explain: (a) Knowledge Management Systems and their functions. (03 Marks) (b) The advantages of Knowledge Management Systems. (03 Marks) (c) Give three examples of systems that can facilitate: i- Knowledge distribution ii- Knowledge sharing (03 Marks)
51

Suggested Answer:-
(a) Knowledge Management System (KMS) refers to a system for managing knowledge in organizations supporting creation, capture, storage and dissemination of information. The idea of a KMS is to enable employees to have ready access to the organization's documented facts, sources of information and solutions. Databases are set up containing all the major work done in an organization. An application is then developed allowing the users to access information from the database as needed. (b) Some of the advantages claimed for KMS are: (i) Valuable organizational information can be shared. (ii) Can avoid re-inventing the wheel, reducing redundant work. / Time saving. (iii) May reduce efforts on training of new employees. (iv) Intellectual information can be retained even after the employee leaves. (v) Development of important knowledge that can be used to create successful business models (vi) Benefit of creating a knowledge base which is already tried and tested and can be sold worldwide to franchisees, leading to global operations. (c) Facility System Knowledge distribution Word processing, electronic schedulers, desktop databases, email etc. Knowledge sharing Intranet, extranet, groupware etc (74) Question Background: Winter 2008, Q # 6, Syllabus Topic: In the current environment, almost every aspect of personal information is increasingly being stored in digital form. Consequently, the organizations acknowledge the need for protecting personal and confidential data available with them, from unauthorized individuals and entities. Required: (a) Explain the benefits of good privacy controls for businesses. (03 Marks) (b) List six best practices to be adopted for effective data privacy management in a business environment. (06 Marks) Suggested Answer:(a) Benefits of good privacy controls Protecting the organizations public image and brand. Protecting valuable data of customers and employees. Achieving a competitive advantage in the market place. Avoiding legal repercussions. Promoting confidence and goodwill. (b) Best Practices Performing adequate and regular privacy risk assessments. Developing awareness among the users about the need to follow the specified procedures. Proper implementation of login IDs and passwords. Masking personal identification numbers and other sensitive information when possible. Creating awareness about Web, and e-mail vulnerabilities. Developing record retention and destruction policies. Implementing a data classification scheme based on the sensitivity and data mapping. Implementing intrusion detection and prevention technologies. Control over use of removable media. For keeping safe custody of the laptops, undertaking is to be signed by employees carrying companys laptop. Supervising and training staff to prevent social engineering and similar risks. Establishing a privacy ombudsman, officer, or organization to be available to act as the focal point for the coordination of privacy-related activities and the handling of complaints and issues.
52
(75) Question Background: Winter 2008, Q # 7, Syllabus Topic: The Human Resources Department of Sensible Investment Fund (SIF) is in the process of compilation of staff manual. While formulating policies for recruitment and termination of IT staff, the HR Manager requested the IT Manager to give his input on the same. Required: You are required to: (a) Identify common controls which should be considered while hiring IT personnel. (02 Marks) (b) List the control procedures that should be followed when an IT staff leaves SIF. (03 Marks) Suggested Answer:(a) Following controls should be considered while hiring an IT personnel: (i) Reference checks. (ii) Confidentiality agreement. (iii) Employee bonding to protect against losses due to theft, mistakes and neglect. (iv) Conflict of interest assessment. (v) Undertaking to abstain from carrying on any other job/business, including any other activity which may be in conflict of interest of the organization. (b) Following control procedures should be followed when the IT staff leaves: (i) Return of all keys, ID card and badges. (ii) Deletion of assigned logon IDs and Passwords. (iii) Notification to appropriate staff and security personnel. (iv) Arrangement of the final pay routines. (v) Exit interview. (vi) Return of all company property. (vii) Handing and taking over of responsibilities and assignments. (76) Question Background: Winter 2008, Q # 8, Syllabus Topic: Business organizations face a number of risks which are at times, unavoidable. Progressive business concerns seek to create an environment that can identify and manage those risks. Developing a Business Continuity Plan (BCP) helps to develop such environment, in an organization. Required: List any nine steps which you would consider important while assessing whether or not the BCP is effective and comprehensive. (09 Marks) Suggested Answer:Important steps in evaluating the effectiveness and comprehensiveness of a BCP are as follows: (i) Obtain a copy of the updated Business Continuity Plan. (ii) Sample the distributed copies of the plan and verify that they are current. (iii) Evaluate the procedure for updating the manual. Are updates applied and distributed in a timely manner? Are specific responsibilities for maintenance of the manual documented? (iv) Determine if all applications have been identified and reviewed for their level of tolerance in the event of a disaster. (v) Evaluate the effectiveness of the documented procedures for the initiation of the business continuity effort. (vi) Review the identification and planned support of critical applications, including PC based or end user developed systems. (vii) Determine if the alternative processing site has the correct version of the software. (viii) Determine if the alternative processing site does not have the same environmental risks as faced by the original site. (ix) Review the list of business continuity personnel, emergency hot site contacts, emergency vendor contacts, etc. for appropriateness and completeness. (x) Actually call a sample of concerned personnel and verify that their phone numbers and addresses are correct as indicated. Interview them for an understanding of their assigned responsibilities in a disaster situation. (xi) Determine if all recovery teams have written procedures to follow in the event of a disaster.
53
(xii) Determine if items necessary for the reconstruction of the information processing facility are stored off-site, such as blueprints, hardware inventory and writing diagrams. (xiii) Check if the critical information assets are protected under insurance cover. (xiv) Determine if the BCP has ever been tested or is there any mandatory requirement to test the BCP at periodic intervals? (77) Question Background: Winter 2008, Q # 9, Syllabus Topic: Mr. Akhlaq is conducting the information systems audit of Varied Services Limited (VSL). Some of the policies regarding users account listed by the IT Manager are as follows: (i) Users accounts are created by the system administrator only. (ii) Initial passwords are communicated to the users confidentially. (iii) Password must follow a complex syntax. (iv) Users can not repeat their last seven passwords. (v) Users accounts can only be unlocked by the system administrator on written request from the user. (vi) Logon IDs of employees who take more than one weeks leave are made inactive on intimation from HR department. Required: Describe the manual tests that Mr. Akhlaq should perform to verify that the settings communicated by the IT manager are actually working. (06 Marks) Suggested Answer:To verify that these settings actually are working, Mr. Akhlaq can perform the following manual tests: (i) He should logon to the domain server with various privileged/key user IDs, including the ID of system administrator, and try to create new users. The creation of user IDs should be allowed to the system administrator only. (ii) He can interview a sample of users to determine how they were communicated their first passwords. If the passwords were communicated through phone or verbally, this shows a control weakness. The passwords should have been given to the user by-hand, in a sealed envelope. (iii) He should attempt to create passwords in a format that is invalid, such as too short, too long, incorrect mix of alpha or numeric characters, or the use of inappropriate characters. (iv) He should attempt to create passwords which are same as any of the previous seven passwords to ascertain whether these are accepted by the server or not. (v) He can review system logs and try to identify the users account lock out incidences of the past. Once such incidence is found, he should check whether a written request is present with the system administrator in respect thereof. (vi) He should obtain a list of those employees from the HR department who are presently on leave. Then he should check whether a written intimation from HR department is present with the system administrator and check whether their accounts have been disabled/locked out by the system administrator. (78) Question Background: Summer 2008, Q # 1, Syllabus Topic: The newly appointed CEO of Digital Corporation (DC) is of the view that the companys General Ledger (GL) application developed by a renowned software house suffers from many limitations. Some of its modules are of little use to the company. The CEO feels that cost incurred for development of software was very high besides he also has doubts on the accuracy of the data being produced. He has appointed RBC & Company to carry out an assessment of the effectiveness, efficiency and relevance of the system.
Required: (a) Identify the documents which RBCs team would review to gain an understandi ng of the GL application. Also, explain briefly the importance of each of the identified document. (06 Marks) (b) Identify and briefly explain the various types of controls which could satisfy RBC about the effectiveness of the system and the reliability of data. Explain how they would test their effectiveness. (10 Marks)
Suggested Answer:(a) Following documents may be reviewed to gain an understanding of the GL application: Documents describing user requirements These documents help in identifying the essential system components. Documents describing cost benefit analysis These documents help in understanding the need and objective of each module and functionality of the application.
54
Functional design specifications This document provides a detailed explanation of the application. Documents describing modifications in program Such documents will help in evaluating whether the application has been working satisfactorily, understanding the change in user requirements and change management controls. User manuals A review of the user manual will allow us to determine whether it contains appropriate guidance for the users. Technical reference manual Its review helps in understanding access rules and logic of the application. (b) Input Controls Terminal/Clients workstation identification check This check is used to limit input to specific terminals as well as to individuals. Client workstations in a network can be configured with a unique form of identification, such as serial number or computer name that is authenticated by the system. Effectiveness testing (i) Check if list of authorized terminals is in place and is updated. (ii) Attempt accessing the system from unauthorized terminal. (iii) Observe process of input and review source documents for evidence of authorization.
OR
Completeness check Fields like national identity card number accepts data of standard length. If incomplete card number is entered, an alert is generated to complete the entry. At record level, when we want to move on next record without entering mandatory fields value, an alert will be generated to complete the record entries. Effectiveness testing (i) Observing the data entry process. (ii) Input some records on test basis and intentionally skipping mandatory fields blank while adding new records.
OR
Authorization on source document Authorized persons signature in an appropriate area of the source document provides evidence of proper authorization. Effectiveness testing Review some source documents corresponding to records present in the system and verify the authorized signatures. Processing Controls Exception reports Such reports are generated when some transaction or data appear to be incorrect. Effectiveness testing Review exception reports and check if these were reviewed by the concerned user and the evidence of actions taken thereof.
OR
Reconciliation of control totals It involves checking of totals produced by the computer with those determined manually. Effectiveness testing (i) Assessing whether the reconciliations are being prepared as appropriate. (ii) Checking calculations as appearing on the reconciliations.
OR
File Version Check For correct processing, the system ensures that transaction should be applied to the most current database. Effectiveness testing Process some sample transactions and compare the results with current version of the database.
55
Output Controls Printing and storage of output reports Critical output reports should be produced and maintained in a secure area in an authorized manner. Effectiveness testing (i) Review of the access rules (ii) Reviewing and assessing the procedures adopted by the management for monitoring the output. (iii) Reconciliation of total pages printed with the readings as shown on the counter installed in the printer.
OR
Distribution of reports Authorized distribution parameters are set for output reports. All reports are logged prior to distribution. Recipient is required to sign the distribution log as evidence of receipt of output. Effectiveness testing (i) Observation and review of distribution output logs. (ii) Verifying recipients signatures on distribution log. General Controls Segregation of duties Segregation of duties means that important responsibilities are distributed between two or more individuals which result in creating checks and balances as work of one person is checked by the other. If a single person is responsible for many activities it becomes easy for him to commit fraud or for errors to remain undetected. Effectiveness testing (i) Observation and review of job description. (ii) Review of authorization levels and procedures. Error control and correction reports They provide evidence of appropriate review, research, timely correction and resubmission. Effectiveness testing (i) Assessing and testing whether appropriate reports are being generated. (ii) Checking the consequent corrections and their authorizations.
OR
Access to authorized personnel only Access to information/data should be based upon job descriptions. Effectiveness testing (i) Review of access rules to ensure that these are appropriately based on the requirements. (ii) Testing the compliance to access rules. Backup and Recovery Automatic back up of enables to recover from any unforeseen breakdown and mitigates the effects of data corruption. Effectiveness testing Observe the auto backup procedure. Attempt to restore the system from recent backup at an alternative location. (79) Question Background: Summer 2008, Q # 2, Syllabus Topic: Prestige Communications (PC) and Natural Technologies (NT) have recently entered into a reciprocal agreement which will allow each party to use the processing facilities available with the other, in case of disaster. PC has requested their IT Manager to review the reciprocal agreement to ensure that it covers all critical areas. Required: Prepare a questionnaire for the IT Manager to help him ensure that the agreement is complete in all aspects. (10 Marks) Suggested Answer:(i) What facilities, equipment and software will be available? (ii) Will staff assistance be provided? (iii) How quickly can access be gained to the host recovery facility?
56
(iv) How long can the emergency operation continue? (v) How frequently can the system be tested for compatibility? (vi) How will confidentiality of the data be maintained? (vii) What type of security will be afforded for information systems operations and data? (viii) Are there certain times of the year, month, etc. when the partners facilities shall not be available? (ix)Whether costs to be billed have been agreed upon clearly? (x) Has appropriate clauses been included to ensure that commitment is fulfilled? (e.g. penalty clause) (xi) Does the agreement contain appropriate provision as regards the termination of the contract? (80) Question Background: Summer 2008, Q # 3 (a), Syllabus Topic: (a) Automated Teller Machines (ATMs) have tremendous utility for banking customers. However, the concerned bank needs to carry out constant review and monitoring of the controls installed as a safeguard against fraudulent activities. Required: Identify five major tasks that should be performed during information systems audit of ATM and its overall mechanism. (05 Marks) Suggested Answer:(i) Review measures to establish proper customer identification and maintenance of their confidentiality. (ii) Review file maintenance and retention system. (iii) Review exception reports. (iv) Review daily reconciliation of ATM transactions. (v) Review PIN (key) change management procedures. (vi) Review the procedures for retained, stolen or lost cards. (vii) Review the effectiveness of physical controls. (81) Question Background: Summer 2008, Q # 3 (b), Syllabus Topic: An effective and efficient management of software inventory is generally carried out with the help of an automated mechanism known as Software Library Management System. Required: Identify any five key capabilities of a Software Library Management System that helps in overall management of software inventory. (05 Marks) Suggested Answer:(i) Assignment of modification number and version number for each item in software inventory. (ii) Security over the access to software. OR Limiting the access to software to authorized persons only. (iii) Provision of facilities like encryption and automatic backup. (iv) Creating, updating and deleting the profiles of users for access to software inventory. (v) Maintaining audit trail for access to any item of software inventory. (vi) Interface with operating system, job scheduling system, access control system and online program management for provision of various features to users. (vii) Maintaining list of additions, deletions and modifications in overall library catalogue. (82) Question Background: Summer 2008, Q # 4, Syllabus Topic: The CEO of Jalib Securities & Exchange Company is concerned about the rising number of frauds being reported in the industry specially those carried out by insiders. Recently another financial institution in the same region had suffered a loss of Rs. 10 million due to a fraud which was committed by a senior executive who was responsible for carrying out a number of key responsibilities related to information systems. The CEO has requested you to advise the company on prevention and detection measures against such threats to their information systems. Required: (a) Discuss the principle of segregation of duties? What could occur if adequate segregation of duties does not exist? (03 Marks) (b) Suggest other best practices for preventing and detecting frauds that may be committed by key information systems personnel. (List at least six points) (06 Marks) Suggested Answer:-
57
(a) Segregation of duties means that important responsibilities are distributed between two or more individuals. As a result check and balances are created as work of one person is checked by the other. If adequate segregation of duties does not exist, the following could occur: Misappropriation of assets OR Chances to fraud increases. Inaccurate information (i.e. errors or irregularities remain undetected). Modification of data could go undetected. (b) Suggested best practices for preventing and detecting frauds that may be committed by key information systems personnel are as follows: (i) Carry out periodic enterprise-wide risk assessments: Periodic risk assessment procedure helps to identify risks which may result in loss to the organization. (ii) Clearly document insider threat controls: Clear documentation helps to ensure fewer gaps for attack and better understanding by employees. (iii) Carry out periodic security awareness training for all employees: If the employees are trained and understand security policies and procedures, and why they exist, they will be encouraged and able to avert security lapses. (iv) Implement strict password and account management policies and practices: Password controls and account management policies are often not followed to avoid inconvenience. Without strict implementation such controls are of no use. (v) Log, monitor, and audit online actions of the employees: Periodic logging, monitoring and auditing discourages and discovers inappropriate actions. (vi) Use extra caution with system administrators and privileged users: Typically, logging and monitoring is performed by a combination of system administrators and privileged users. Therefore, additional vigilance must be devoted to those users. (vii) Monitor and respond to suspicious or disruptive behaviour: Policies and procedures should be in place for all employees to report such behaviour, with required follow-up by management. (viii) Physical controls: Close circuit cameras, biometrics and digital door locks etc. serve a good physical control against insiders threat. (ix) Deactivate computer access immediately after termination: Immediate deactivation policy will discourage losses due to lapses and slackness. (x) Job rotation: Periodical rotation of responsibilities enhances the check and balance environment. It helps in detecting errors and irregularities which otherwise remain undetected. (xi) Forced leave policy: Mandatory leave policy helps in successful succession planning. It also tests the organizations preparedness in case its key IT personnel left. (xii) Restricted use of removable media: This practice helps in minimizing the chances of virus and worms in the system. It also mitigates the chances of theft of sensitive data. (xiii) Access to sensitive data/ information on need to have basis: This practice enhances the security and confidentiality of data. Since access to data is allowed on proper authorization, track of any modification to it can be detected easily. (83) Question Background: Summer 2008, Q # 5, Syllabus Topic: The risk management process involves the identification and classification of assets, assessing the threats associated with the identified assets, identifying vulnerabilities or lack of controls and assessing the impact of the identified threats. Required: You are required to identify four types of information assets associated with information technology and identify the following: At least two threats associated with each asset. The possible impact of the identified threats. At least two controls for mitigating the risk associated with each threat. (12 Marks) Suggested Answer:-
58

(i) Assets Information/ data Threats Errors Impact Business interruption Monetary loss

Controls Users training Input and verification by different persons Data validation checks. Properly configured firewall Installing updated definitions of antivirus programs Restricting use of removable drives. Proper backup plan
Malicious damage/attack Viruses Hackers
Theft
Electric Surge
Denial of service Business interruption Loss of business opportunity Loss of data Monetary loss Loss of business opportunity Leakage of business secrets. Legal repercussions Loss of data Business interruption. Business interruption Monetary loss
Use of strong passwords Use protected communication lines for data transmission Restricting use of removable drives. Proper maintenance of water fittings Using stabilizers and circuit breakers Proper maintenance of electric circuitry Security guards Lock and key Digital locks Biometric locks Prohibiting one person to work alone. Hardware backup Periodic maintenance Maintenance contracts Proper maintenance of electric fittings Using stabilizers and circuit breakers Fire proof rooms Alternative hardware and facilities arrangement Fire alarms Fire extinguishers. Proper maintenance of water fittings and drainage system Raised floors Testing before implementation Source code review Software maintenance Properly configured firewall Installing updated definitions of antivirus programs Restricting use of removable drives. Compliance of software licenses Prohibiting users from installing programs Proper work environment Proper job description Mandatory vacations. Proper maintenance of electric fittings Wet floor cautions. Succession planning Program documentation. Succession planning Program documentation.
(ii)
Hardware
Theft
Equipment failure Physical damage Electric Surge Fire
Business interruption Loss of business opportunity Loss of equipment Business interruption. Business interruption Loss of equipment and facilities.
Water Program errors Bugs Trap doors Malicious damage/attack
Business interruption Loss of data. Business interruption loss of data loss of confidentiality Denial of service Business interruption Loss of business opportunity Loss of data Legal consequences Loss of reputation Business interruption Business interruption Business interruption Business interruption
(iii)
Software
(iv)
Personnel
Use of pirated software Health hazards
Injuries Resignation Death
59
(84) Question Background: Summer 2008, Q # 6, Syllabus Topic: Smart Industries Limited is using many computer-based applications most of whom have been developed in-house. They are considering to replace them with applications using web based technologies. Required: Explain how the following ebusiness models can assist the company in improving its business: (a) Business-to-Consumer model (b) Business-to-Business model. (10 Marks) Suggested Answer:(a) The company can made use of the B2C model in the following way: (i) The company can make basic information of its products available at its website. Such information may include product price, availability, features of the product and any additional charges such as delivery or insurance etc. When such information is available to potential customers in an easy to understand format, it will be easier for them to make decisions and they will be automatically attracted towards companys website. (ii) The company can provide some form of personalization of the website for repeat visits such as welcoming the customer by name or displaying a list of products already reviewed. This would help make the site more customer-friendly and probability of customers visiting the companys website before any related purchase would increase. (iii) Providing some incentives to use the website such as loyalty points may help to attract more customers. (iv) New customers may be reached, especially those who are not located within traveling distance of the companys sales outlet. (v) When a purchase is made on companys website, customer information will be stored by the companys computer system. This information can be used to help provide repeat business for the organization. (vi) Data can be mined to identify relationship in purchases. (vii) The company can carry out business on 24 X 7 basis. (b) B2B model can assist the company in improving its performance in the following manner: (i) Managing inventory more efficiently. (ii) Suppliers can be given access to stock levels such that when stocks fall below a re-order level, the supplier will automatically send replacement stocks. Thus less employee time will be spent in reviewing stock levels, and replacement stocks will be received immediately when they are required. (iii) Self generated emails can be used to inform suppliers about new stock requirements. (iv) Information concerning stock deliveries and receipts can be sent by Electronic Data Interchange. This will provide time and cost savings. (v) Payment process can be expedited by making payments electronically. (vi) Paperless environment. (vii) Need to re-enter the data will be reduced. (85) Question Background: Summer 2008, Q # 7, Syllabus Topic: Techno International is in the process of acquiring new software which will replace their existing accounting system completely and fulfill other user requirements which are not being catered in the existing software. The management has formed a project team to prepare the Request for Proposal (RFP) for the acquisition of software and conduct the acquisition process in a transparent manner. Required: (a) List the important information to be contained in the RFP to be issued by the project team. (List at least twelve points) (09 Marks) (b) Describe how the project team can ensure that the proposals are received and recorded in a transparent manner. (03 Marks) (c) List the steps involved in short listing the received proposals transparently. (03 Marks) (d) What steps the project team should take to validate the vendors responses. (List any four points) (03 M) Suggested Answer:-
60
(a) Key contents of RFP: Information given to vendors (i) Broad background of the Techno Internationals business. (ii) Details of the information technology environment. (iii) Requirements of the system for which proposal has been requested. (iv) How will the proposal be evaluated? (v) Criteria for the eligibility of the vendors. (vi) General procurement policies (if any). (vii) The format of the proposal to facilitate comparative evaluation of the proposal. (viii) Identifying the timing of submission, including any bonds that may be required and the place and manner of submission. Information required from vendor (i) Source code availability. (ii) Minimum hardware requirements for the proposed software (iii) Availability of the offered products complete and reliable documentation. (iv) List of recent or planned enhancements to the product, with dates. (v) List of clients using the offered product. (vi) Availability of support status (24 X 7 online help, onsite maintenance etc). (vii) Provision for staff training. (viii) Evidence of vendors financial stability. (ix) Evidence of relevant experience. (b) Key activities in ensuring transparency in receiving and recording RFPs: (i) Advising all suppliers of the format (including method of submission e.g. sealed envelopes, by post etc.) and deadline for submissions and the place where the submission should be lodged. (ii) Ensuring that all vendors have equal and adequate time to submit the proposal. (iii) Ensuring that all bids are opened at the same time and in the presence of suppliers. (c) Key activities involved in short listing the proposals: (i) Eliminating proposals from vendors that do not meet the minimum requirements specified in the RFP. The reason for this should be documented and preferably communicated to the supplier. (ii) Evaluating the remaining proposals so that the relative merits and weaknesses of each solution are documented and compared. (iii) Eliminating all but a few proposals from further consideration, documenting the reasons for rejection and advising the suppliers who have been short listed. (d) The project team may arrange the following to validate the vendors responses: Walkthrough tests Demonstrations Benchmark tests Visiting or calling the vendors current clients to verify his claims. (85) Question Background: Summer 2008, Q # 7, Syllabus Topic: Hi-Fi Solutions has recently developed a core banking application software for the Real Bank Limited (RBL) which has more than sixty branches. One of the main distinguishing features of the new system is that it is able to provide online connectivity to all branches. Prior to implementing the application, management of RBL wants to know the measures taken by the Hi-Fi Solutions for ensuring the availability of the system when multiple users will access it simultaneously. The management is also concerned about the changeover strategies that can be adopted for replacing the existing system and the associated risks which may be faced during change over process. Required: On behalf of Hi-Fi Solutions, apprise the management of RBL on: (a) At least two types of tests performed by HI-Fi Solutions to ensure that the system will remain available and its efficiency will not be compromised on account of simultaneous log in by a number of users. (03 Marks) (b) Possible changeover techniques for the complete deployment of new system. (06 Marks)
61

(03 Marks) (03 Marks)
(c) Major steps involved in change over from old to new system. (d) The risks which the management may face during the changeover process. Suggested Answer:-
(a) Load Testing: It is used to test the expected usage of system (software) by simulating multiple users accessing the system's services concurrently. Stress / Volume / Bulk Testing: It is used to test the raised usage of system (beyond normal usage patterns) in order to test the system's response at unusually high or peak load. Performance Testing: It is used to determine how fast the system performs under different workloads. (b) Parallel Changeover: This technique includes the running of both existing (old) and new software in parallel and shifting over to the news system after fully gaining confidence on the working of new software. Phased Changeover: In this approach, the older system is broken into deliverable modules. Initially, the first module of the older system is phased out using the first module of the newer system. Then, the second module of the older system is phased out, using the second module of the newer system and so forth till the last module. Abrupt / Direct / Plunge Changeover: In this approach the new system is introduced on a cut-off date / time and the older system is discontinued simultaneously. Pilot Changeover: In this approach, the new system is implanted at a selected location of the company, such as only one branch office (using direct or parallel changeover approach). After the system proves successful at the selected location (pilot site), it is implemented into the rest of the organization. (c) Changeover to the newer system broadly involves four major steps: (i) Training to the employees or users. (ii) Installation of new hardware, operating system, application system. (iii) Conversion of files and programs and migration of data. (iv) Scheduling of operations and test running for go-live or changeover. (d) Probable risks during changeover process include: (i) Loss of assets. (ii) Data corruption / deletion. (iii) Loss of confidentiality. (iv) Impairment of system effectiveness. (v) System efficiency may be affected. (vi) Resistance from staff.
62

Information Technology Audit A and C Control E E-15

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Information Technology Audit A and C Control E E-15

Hochgeladen von

Copyright:

Verfügbare Formate

Information Technology

Audit and Control E-15

ICAP PAST PAPERS QUESTION & ANSWERS

Compiled By: Faisal Zia B.Com (Gold Medalist) CA Finalist

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

System Analyst Quality Assurance Manager

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

(04 marks) (08 marks)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

--------OK OK --------X X OK X X X OK X X X OK X OK=

X X X X --------OK OK --------X OK X X X X OK X Compatible Function

X OK X OK X X X X X X X OK OK X X X --------OK OK X OK --------X X OK X --------X X X X --------Incompatible Function X=

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

(iii) Brute-force attack

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Business Continuity Plan

Organization al structure of IT department

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)

Information Technology Management, Audit & Control

By: Faisal Zia (www.professionalsworld.net)